@vulcn/engine 0.9.2 → 0.9.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +41 -0
- package/dist/index.cjs +707 -363
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +663 -148
- package/dist/index.d.ts +663 -148
- package/dist/index.js +685 -355
- package/dist/index.js.map +1 -1
- package/package.json +6 -2
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,46 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## 0.9.3
|
|
4
|
+
|
|
5
|
+
### Patch Changes
|
|
6
|
+
|
|
7
|
+
- 90b60ed: Docs: align all documentation with v0.9 refactored architecture
|
|
8
|
+
- Replace all `vulcn.config.yml` references with `.vulcn.yml` flat config
|
|
9
|
+
- Remove `vulcn plugin` command (deleted `cli/plugin.mdx`, removed from nav)
|
|
10
|
+
- Update `vulcn run` examples to argless format (auto-discovers sessions from `sessions/`)
|
|
11
|
+
- Update auth path from `.vulcn/auth.enc` to `auth/state.enc`
|
|
12
|
+
- Replace `driverManager`/`pluginManager` singletons with `new DriverManager()`/`new PluginManager()` + `loadFromConfig()`
|
|
13
|
+
- Replace `Runner.execute()` with `DriverManager.executeScan()`
|
|
14
|
+
- Remove legacy exports section from API overview, add Project Config exports
|
|
15
|
+
- Rewrite plugins overview to document auto-loading from flat config keys
|
|
16
|
+
- Update drivers/browser config, auth workflow, and programmatic examples
|
|
17
|
+
- Update drivers/creating-drivers to remove config-based driver registration
|
|
18
|
+
- Rewrite plugin-api.mdx Session/Step types and PluginManager methods
|
|
19
|
+
- Fix plugin-report, plugin-passive, plugin-payloads, plugin-detect-sqli examples
|
|
20
|
+
|
|
21
|
+
- 90b60ed: Improve reflection detection accuracy — eliminate XSS false positives
|
|
22
|
+
|
|
23
|
+
**@vulcn/driver-browser**
|
|
24
|
+
- `checkReflection`: verbatim-only matches now use type `"reflection"` instead of the payload category, distinguishing low-confidence reflection from confirmed exploitation
|
|
25
|
+
- `checkReflection`: detect patterns only run when the payload appears verbatim in rendered content, preventing false matches on partially-encoded reflections
|
|
26
|
+
- `checkReflection`: encoding suppression now explicitly checks for dangerous HTML chars before calling `isHtmlEncoded`
|
|
27
|
+
- `confirmedTypes` early-exit now only triggers on high-confidence findings (type matches payload category), allowing the scanner to continue trying payloads that may trigger actual execution (e.g. `alert()`)
|
|
28
|
+
|
|
29
|
+
**@vulcn/plugin-detect-reflection**
|
|
30
|
+
- Skip payloads without dangerous HTML characters — reflecting plain text like `alert(1)` is not a vulnerability
|
|
31
|
+
- Include authentication cookies when fetching raw content for encoding checks
|
|
32
|
+
- Simplified encoding check flow
|
|
33
|
+
|
|
34
|
+
**benchmarks**
|
|
35
|
+
- Exclude `"reflection"` findings from XSS benchmark evaluation (reflection ≠ confirmed XSS)
|
|
36
|
+
- Add Youden's J score with qualitative label to per-case summary output
|
|
37
|
+
|
|
38
|
+
**WAVSEP XSS benchmark (before → after)**
|
|
39
|
+
- False Positives: 6 → 0
|
|
40
|
+
- True Negatives: 1 → 7
|
|
41
|
+
- Precision: 88.5% → 100%
|
|
42
|
+
- Youden's J: 0.051 → 0.479
|
|
43
|
+
|
|
3
44
|
## 0.9.2
|
|
4
45
|
|
|
5
46
|
### Patch Changes
|