agentaudit 3.9.44 → 3.9.46
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli.mjs +23 -2
- package/package.json +1 -1
- package/prompts/audit-prompt.md +4 -11
package/cli.mjs
CHANGED
|
@@ -75,6 +75,7 @@ let jsonMode = false;
|
|
|
75
75
|
let quietMode = false;
|
|
76
76
|
let modelOverride = null; // --model flag or AGENTAUDIT_MODEL env or config
|
|
77
77
|
let globalModelOverride = null; // same, but set early for resolveProvider
|
|
78
|
+
let llmTimeoutMs = null; // --timeout flag (seconds → ms)
|
|
78
79
|
|
|
79
80
|
// ── ANSI Colors (respects NO_COLOR and --no-color) ───────
|
|
80
81
|
|
|
@@ -1679,7 +1680,7 @@ async function auditRepo(url) {
|
|
|
1679
1680
|
system: systemPrompt,
|
|
1680
1681
|
messages: [{ role: 'user', content: userMessage }],
|
|
1681
1682
|
}),
|
|
1682
|
-
signal: AbortSignal.timeout(180_000),
|
|
1683
|
+
signal: AbortSignal.timeout(llmTimeoutMs || 180_000),
|
|
1683
1684
|
});
|
|
1684
1685
|
const data = await res.json();
|
|
1685
1686
|
if (data.error) {
|
|
@@ -1729,7 +1730,7 @@ async function auditRepo(url) {
|
|
|
1729
1730
|
{ role: 'user', content: userMessage },
|
|
1730
1731
|
],
|
|
1731
1732
|
}),
|
|
1732
|
-
signal: AbortSignal.timeout(resolvedProvider.id === 'ollama' ? 300_000 : 180_000),
|
|
1733
|
+
signal: AbortSignal.timeout(llmTimeoutMs || (resolvedProvider.id === 'ollama' ? 300_000 : 180_000)),
|
|
1733
1734
|
});
|
|
1734
1735
|
const data = await res.json();
|
|
1735
1736
|
if (data.error) {
|
|
@@ -1916,6 +1917,12 @@ async function auditRepo(url) {
|
|
|
1916
1917
|
console.log(` ${c.red}failed${c.reset}`);
|
|
1917
1918
|
const errMsg = result.error;
|
|
1918
1919
|
console.log(` ${c.red}API error: ${errMsg}${c.reset}`);
|
|
1920
|
+
if (/abort|timeout/i.test(errMsg)) {
|
|
1921
|
+
const currentTimeout = llmTimeoutMs ? (llmTimeoutMs / 1000) : 180;
|
|
1922
|
+
console.log(` ${c.dim}The model took longer than ${currentTimeout}s to respond.${c.reset}`);
|
|
1923
|
+
console.log(` ${c.dim}Try increasing the timeout: --timeout 300 (or --timeout 600 for reasoning models)${c.reset}`);
|
|
1924
|
+
console.log(` ${c.dim}You can also set AGENTAUDIT_TIMEOUT=300 as environment variable.${c.reset}`);
|
|
1925
|
+
}
|
|
1919
1926
|
if (/context.length|maximum.*tokens|too.many.tokens/i.test(errMsg)) {
|
|
1920
1927
|
console.log(` ${c.dim}This model's context window is too small for this repository.${c.reset}`);
|
|
1921
1928
|
console.log(` ${c.dim}Try a model with a larger context: --model anthropic/claude-sonnet-4 (200k) or --model openai/gpt-4o (128k)${c.reset}`);
|
|
@@ -2210,6 +2217,18 @@ async function main() {
|
|
|
2210
2217
|
|| null;
|
|
2211
2218
|
globalModelOverride = modelOverride;
|
|
2212
2219
|
|
|
2220
|
+
// --timeout flag: --timeout=<seconds> or --timeout <seconds>
|
|
2221
|
+
const timeoutFlagIdx = rawArgs.findIndex(a => a === '--timeout');
|
|
2222
|
+
const timeoutFlagEq = rawArgs.find(a => a.startsWith('--timeout='));
|
|
2223
|
+
const timeoutVal = timeoutFlagEq?.split('=')[1]
|
|
2224
|
+
|| (timeoutFlagIdx >= 0 ? rawArgs[timeoutFlagIdx + 1] : null)
|
|
2225
|
+
|| process.env.AGENTAUDIT_TIMEOUT
|
|
2226
|
+
|| null;
|
|
2227
|
+
if (timeoutVal) {
|
|
2228
|
+
const secs = parseInt(timeoutVal, 10);
|
|
2229
|
+
if (secs > 0) llmTimeoutMs = secs * 1000;
|
|
2230
|
+
}
|
|
2231
|
+
|
|
2213
2232
|
// Strip global flags from args
|
|
2214
2233
|
const globalFlags = new Set(['--json', '--quiet', '-q', '--no-color']);
|
|
2215
2234
|
let args = rawArgs.filter(a => !globalFlags.has(a));
|
|
@@ -2217,6 +2236,8 @@ async function main() {
|
|
|
2217
2236
|
args = args.filter((a, i, arr) => {
|
|
2218
2237
|
if (a.startsWith('--model=')) return false;
|
|
2219
2238
|
if (a === '--model') { arr[i + 1] = '__skip__'; return false; }
|
|
2239
|
+
if (a.startsWith('--timeout=')) return false;
|
|
2240
|
+
if (a === '--timeout') { arr[i + 1] = '__skip__'; return false; }
|
|
2220
2241
|
if (a === '__skip__') return false;
|
|
2221
2242
|
return true;
|
|
2222
2243
|
});
|
package/package.json
CHANGED
package/prompts/audit-prompt.md
CHANGED
|
@@ -409,12 +409,9 @@ If **any** fails → real vulnerability (`by_design: false`).
|
|
|
409
409
|
|
|
410
410
|
## 3.10 Final Triage
|
|
411
411
|
|
|
412
|
-
### Finding
|
|
412
|
+
### Finding Quality Check
|
|
413
413
|
|
|
414
|
-
If more than
|
|
415
|
-
1. Keep highest severity + highest confidence
|
|
416
|
-
2. Merge ONLY when same pattern_id + same file
|
|
417
|
-
3. Drop LOW-confidence findings first
|
|
414
|
+
Report ALL genuine findings — do not artificially limit the count. If a package has 20 real vulnerabilities, report all 20. However, if you have more than 15 candidates, double-check each against the Self-Check (§3.1) to ensure every finding has concrete evidence and is not a duplicate.
|
|
418
415
|
|
|
419
416
|
### Anti-Merging Rules
|
|
420
417
|
|
|
@@ -654,10 +651,6 @@ Consult these patterns during Phase 2 evidence collection. Remember: a pattern m
|
|
|
654
651
|
- risk_score > 50 for a package with no confirmed exploit path
|
|
655
652
|
- Multiple credential-config findings for the same .env/env-var system — merge or drop
|
|
656
653
|
|
|
657
|
-
##
|
|
654
|
+
## Quality Guidance
|
|
658
655
|
|
|
659
|
-
|
|
660
|
-
- ~20-25%: `caution` (26-50)
|
|
661
|
-
- ~5-10%: `unsafe` (51-100) — only confirmed malware or severe vulnerabilities
|
|
662
|
-
- CRITICAL findings in <5% of audits
|
|
663
|
-
- Average findings per audit: 1-3 (not 5-10)
|
|
656
|
+
Judge each audit on its own merits. A clean package should have 0 findings; a heavily vulnerable package may have 20+. Do not target a specific distribution — report what you find with evidence.
|