agent-security-scanner-mcp 3.17.2 → 3.19.0

package/rules/__init__.py

@@ -201,16 +201,55 @@ def get_rules():
     return rules
 
 
-def get_rules_for_language(language):
-    """Get rules applicable to a specific language"""
+def get_rules_for_language(language, file_path=None):
+    """Get rules applicable to a specific language.
+
+    Generic rules that declare a specific technology in their metadata are
+    only applied when the scanned language or file path indicates that
+    technology is relevant.  This prevents, e.g., Hugo-specific rules from
+    firing on plain JavaScript database code.
+    """
     all_rules = get_rules()
     applicable_rules = {}
 
     language = language.lower()
 
+    # Map technology names to the languages/file-path hints where they apply
+    _TECH_LANGUAGES = {
+        'hugo': {'go', 'html', 'toml', 'yaml'},
+        'django': {'python', 'html'},
+        'rails': {'ruby', 'html', 'erb'},
+        'spring': {'java', 'kotlin'},
+        'laravel': {'php'},
+        'angular': {'typescript', 'javascript', 'html'},
+        'react': {'javascript', 'typescript', 'jsx', 'tsx'},
+    }
+
     for rule_id, rule in all_rules.items():
         rule_languages = [lang.lower() for lang in rule.get('languages', ['generic'])]
-        if language in rule_languages or 'generic' in rule_languages:
+
+        if language in rule_languages:
+            applicable_rules[rule_id] = rule
+            continue
+
+        if 'generic' in rule_languages:
+            # Check if this generic rule is scoped to a specific technology
+            techs = rule.get('metadata', {}).get('technology')
+            if techs and isinstance(techs, list):
+                # Only apply if the current language is relevant to the technology
+                tech_relevant = False
+                for tech in techs:
+                    tech_lower = tech.lower()
+                    allowed = _TECH_LANGUAGES.get(tech_lower)
+                    if allowed and language in allowed:
+                        tech_relevant = True
+                        break
+                    # Also check if the technology name appears in the file path
+                    if file_path and tech_lower in file_path.lower():
+                        tech_relevant = True
+                        break
+                if not tech_relevant:
+                    continue
             applicable_rules[rule_id] = rule
 
     return applicable_rules

package/rules/prompt-injection.security.yaml

@@ -672,8 +672,8 @@ rules:
     severity: WARNING
     message: "Potential Base64-encoded prompt injection payload. Encoded content may hide malicious instructions."
     patterns:
-      - "(?i)decode\\s+(this\\s+)?base64\\s*:\\s*[A-Za-z0-9+/=]{20,}"
-      - "(?i)base64\\s*:\\s*[A-Za-z0-9+/=]{40,}"
+      - "(?i)decode\\s+(this\\s+)?base64\\s*:\\s*[A-Za-z0-9+/=]{20,200}"
+      - "(?i)base64\\s*:\\s*[A-Za-z0-9+/=]{40,200}"
       - "aWdub3JlIHByZXZpb3Vz"
       - "c3lzdGVtIHByb21wdA=="
       - "(?i)execute\\s+(this\\s+)?encoded"
@@ -682,8 +682,8 @@ rules:
       - "aWdub3JlIGFsbC"
       - "b3ZlcnJpZGU="
       - "(?i)base64.{0,20}instructions?.{0,20}follow"
-      - "[A-Za-z0-9+/]{40,}={0,2}\\s*.{0,20}(?i)(decode|execute|follow|run)"
-      - "(?i)(decode|run|execute)\\s+.{0,20}[A-Za-z0-9+/]{40,}={0,2}"
+      - "[A-Za-z0-9+/]{40,200}={0,2}[^A-Za-z0-9+/=].{0,20}(?:decode|execute|follow|run)"
+      - "(?i)(decode|run|execute)\\s+.{0,20}[A-Za-z0-9+/]{40,200}={0,2}"
     metadata:
       cwe: "CWE-77"
       owasp: "LLM01 - Prompt Injection"