npm - agentaudit - Versions diffs - 3.9.45 → 3.9.47 - Mend

agentaudit 3.9.45 → 3.9.47

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/cli.mjs CHANGED Viewed

@@ -75,6 +75,7 @@ let jsonMode = false;
 let quietMode = false;
 let modelOverride = null; // --model flag or AGENTAUDIT_MODEL env or config
 let globalModelOverride = null; // same, but set early for resolveProvider
+let llmTimeoutMs = null; // --timeout flag (seconds → ms)
 // ── ANSI Colors (respects NO_COLOR and --no-color) ───────
@@ -1679,7 +1680,7 @@ async function auditRepo(url) {
             system: systemPrompt,
             messages: [{ role: 'user', content: userMessage }],
           }),
-          signal: AbortSignal.timeout(180_000),
+          signal: AbortSignal.timeout(llmTimeoutMs || 180_000),
         });
         const data = await res.json();
         if (data.error) {
@@ -1729,7 +1730,7 @@ async function auditRepo(url) {
               { role: 'user', content: userMessage },
             ],
           }),
-          signal: AbortSignal.timeout(resolvedProvider.id === 'ollama' ? 300_000 : 180_000),
+          signal: AbortSignal.timeout(llmTimeoutMs || (resolvedProvider.id === 'ollama' ? 300_000 : 180_000)),
         });
         const data = await res.json();
         if (data.error) {
@@ -1916,6 +1917,12 @@ async function auditRepo(url) {
       console.log(` ${c.red}failed${c.reset}`);
       const errMsg = result.error;
       console.log(`  ${c.red}API error: ${errMsg}${c.reset}`);
+      if (/abort|timeout/i.test(errMsg)) {
+        const currentTimeout = llmTimeoutMs ? (llmTimeoutMs / 1000) : 180;
+        console.log(`  ${c.dim}The model took longer than ${currentTimeout}s to respond.${c.reset}`);
+        console.log(`  ${c.dim}Try increasing the timeout: --timeout 300 (or --timeout 600 for reasoning models)${c.reset}`);
+        console.log(`  ${c.dim}You can also set AGENTAUDIT_TIMEOUT=300 as environment variable.${c.reset}`);
+      }
       if (/context.length|maximum.*tokens|too.many.tokens/i.test(errMsg)) {
         console.log(`  ${c.dim}This model's context window is too small for this repository.${c.reset}`);
         console.log(`  ${c.dim}Try a model with a larger context: --model anthropic/claude-sonnet-4 (200k) or --model openai/gpt-4o (128k)${c.reset}`);
@@ -2210,6 +2217,18 @@ async function main() {
     || null;
   globalModelOverride = modelOverride;
+  // --timeout flag: --timeout=<seconds> or --timeout <seconds>
+  const timeoutFlagIdx = rawArgs.findIndex(a => a === '--timeout');
+  const timeoutFlagEq = rawArgs.find(a => a.startsWith('--timeout='));
+  const timeoutVal = timeoutFlagEq?.split('=')[1]
+    || (timeoutFlagIdx >= 0 ? rawArgs[timeoutFlagIdx + 1] : null)
+    || process.env.AGENTAUDIT_TIMEOUT
+    || null;
+  if (timeoutVal) {
+    const secs = parseInt(timeoutVal, 10);
+    if (secs > 0) llmTimeoutMs = secs * 1000;
+  }
   // Strip global flags from args
   const globalFlags = new Set(['--json', '--quiet', '-q', '--no-color']);
   let args = rawArgs.filter(a => !globalFlags.has(a));
@@ -2217,6 +2236,8 @@ async function main() {
   args = args.filter((a, i, arr) => {
     if (a.startsWith('--model=')) return false;
     if (a === '--model') { arr[i + 1] = '__skip__'; return false; }
+    if (a.startsWith('--timeout=')) return false;
+    if (a === '--timeout') { arr[i + 1] = '__skip__'; return false; }
     if (a === '__skip__') return false;
     return true;
   });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.9.45",
+  "version": "3.9.47",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {

package/prompts/audit-prompt.md CHANGED Viewed

@@ -472,6 +472,7 @@ To find source_url: check `package.json` → `repository.url`, `_meta.json` →
     {
       "severity": "high",
       "pattern_id": "CMD_INJECT_001",
+      "cwe_id": "CWE-78",
       "title": "Unescaped user input passed to exec()",
       "description": "User-controlled input from HTTP body is passed directly to exec() without sanitization.",
       "file": "src/runner.js",
@@ -507,6 +508,19 @@ To find source_url: check `package.json` → `repository.url`, `_meta.json` →
 ### Version Tracking (Optional — Backend Auto-Enrichment)
 Backend auto-extracts: `commit_sha`, `content_hash`, `package_version`. Per-finding `file_hash` (SHA-256) is recommended for staleness detection.
+### CWE ID (Required)
+Every finding MUST include a `cwe_id` field with the most specific applicable CWE identifier.
+Common CWEs for MCP/package security:
+- `CWE-78` Command Injection, `CWE-79` XSS, `CWE-89` SQL Injection, `CWE-94` Code Injection
+- `CWE-22` Path Traversal, `CWE-918` SSRF, `CWE-502` Deserialization
+- `CWE-798` Hardcoded Credentials, `CWE-321` Hardcoded Crypto Key
+- `CWE-862` Missing Authorization (IDOR), `CWE-915` Mass Assignment
+- `CWE-200`/`CWE-209` Information Exposure, `CWE-532` Log Injection
+- `CWE-362` Race Condition, `CWE-601` Open Redirect, `CWE-434` Unrestricted Upload
+- `CWE-444` HTTP Smuggling, `CWE-1321` Prototype Pollution
+- `CWE-327` Weak Crypto, `CWE-338` Weak PRNG, `CWE-1333` ReDoS
+If unsure, use the closest parent CWE. Never omit this field.
 ### Pattern ID Prefixes
 Use: `CMD_INJECT`, `CRED_THEFT`, `DATA_EXFIL`, `DESTRUCT`, `OBF`, `SANDBOX_ESC`, `SUPPLY_CHAIN`, `SOCIAL_ENG`, `PRIV_ESC`, `INFO_LEAK`, `CRYPTO_WEAK`, `DESER`, `PATH_TRAV`, `SEC_BYPASS`, `PERSIST`, `AI_PROMPT`, `CORR`, `MCP_POISON`, `MCP_INJECT`, `MCP_TRAVERSAL`, `MCP_SUPPLY`, `MCP_PERM`, `WORM`, `CICD`, `MANUAL`.