agentaudit 3.9.43 → 3.9.45
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli.mjs +8 -1
- package/package.json +1 -1
- package/prompts/audit-prompt.md +4 -11
package/cli.mjs
CHANGED
|
@@ -1956,7 +1956,14 @@ async function auditRepo(url) {
|
|
|
1956
1956
|
|
|
1957
1957
|
// Display results
|
|
1958
1958
|
console.log();
|
|
1959
|
-
|
|
1959
|
+
// Always recalculate risk_score from findings severities (never trust LLM's score)
|
|
1960
|
+
const _sevW = { critical: 25, high: 15, medium: 5, low: 1 };
|
|
1961
|
+
const recalcRisk = report.findings && report.findings.length > 0
|
|
1962
|
+
? Math.min(100, report.findings.reduce((s, f) => s + (_sevW[f.severity] || 0), 0))
|
|
1963
|
+
: 0;
|
|
1964
|
+
report.risk_score = recalcRisk;
|
|
1965
|
+
report.result = recalcRisk === 0 ? 'safe' : recalcRisk <= 20 ? 'caution' : 'unsafe';
|
|
1966
|
+
const riskScore = recalcRisk;
|
|
1960
1967
|
const trustScore = 100 - riskScore;
|
|
1961
1968
|
const trustColor = trustScore >= 70 ? c.green : trustScore >= 40 ? c.yellow : c.red;
|
|
1962
1969
|
const trustLabel = trustScore >= 70 ? 'SAFE' : trustScore >= 40 ? 'CAUTION' : 'UNSAFE';
|
package/package.json
CHANGED
package/prompts/audit-prompt.md
CHANGED
|
@@ -409,12 +409,9 @@ If **any** fails → real vulnerability (`by_design: false`).
|
|
|
409
409
|
|
|
410
410
|
## 3.10 Final Triage
|
|
411
411
|
|
|
412
|
-
### Finding
|
|
412
|
+
### Finding Quality Check
|
|
413
413
|
|
|
414
|
-
If more than
|
|
415
|
-
1. Keep highest severity + highest confidence
|
|
416
|
-
2. Merge ONLY when same pattern_id + same file
|
|
417
|
-
3. Drop LOW-confidence findings first
|
|
414
|
+
Report ALL genuine findings — do not artificially limit the count. If a package has 20 real vulnerabilities, report all 20. However, if you have more than 15 candidates, double-check each against the Self-Check (§3.1) to ensure every finding has concrete evidence and is not a duplicate.
|
|
418
415
|
|
|
419
416
|
### Anti-Merging Rules
|
|
420
417
|
|
|
@@ -654,10 +651,6 @@ Consult these patterns during Phase 2 evidence collection. Remember: a pattern m
|
|
|
654
651
|
- risk_score > 50 for a package with no confirmed exploit path
|
|
655
652
|
- Multiple credential-config findings for the same .env/env-var system — merge or drop
|
|
656
653
|
|
|
657
|
-
##
|
|
654
|
+
## Quality Guidance
|
|
658
655
|
|
|
659
|
-
|
|
660
|
-
- ~20-25%: `caution` (26-50)
|
|
661
|
-
- ~5-10%: `unsafe` (51-100) — only confirmed malware or severe vulnerabilities
|
|
662
|
-
- CRITICAL findings in <5% of audits
|
|
663
|
-
- Average findings per audit: 1-3 (not 5-10)
|
|
656
|
+
Judge each audit on its own merits. A clean package should have 0 findings; a heavily vulnerable package may have 20+. Do not target a specific distribution — report what you find with evidence.
|