agentaudit 3.9.46 → 3.9.47
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/prompts/audit-prompt.md +14 -0
package/package.json
CHANGED
package/prompts/audit-prompt.md
CHANGED
|
@@ -472,6 +472,7 @@ To find source_url: check `package.json` → `repository.url`, `_meta.json` →
|
|
|
472
472
|
{
|
|
473
473
|
"severity": "high",
|
|
474
474
|
"pattern_id": "CMD_INJECT_001",
|
|
475
|
+
"cwe_id": "CWE-78",
|
|
475
476
|
"title": "Unescaped user input passed to exec()",
|
|
476
477
|
"description": "User-controlled input from HTTP body is passed directly to exec() without sanitization.",
|
|
477
478
|
"file": "src/runner.js",
|
|
@@ -507,6 +508,19 @@ To find source_url: check `package.json` → `repository.url`, `_meta.json` →
|
|
|
507
508
|
### Version Tracking (Optional — Backend Auto-Enrichment)
|
|
508
509
|
Backend auto-extracts: `commit_sha`, `content_hash`, `package_version`. Per-finding `file_hash` (SHA-256) is recommended for staleness detection.
|
|
509
510
|
|
|
511
|
+
### CWE ID (Required)
|
|
512
|
+
Every finding MUST include a `cwe_id` field with the most specific applicable CWE identifier.
|
|
513
|
+
Common CWEs for MCP/package security:
|
|
514
|
+
- `CWE-78` Command Injection, `CWE-79` XSS, `CWE-89` SQL Injection, `CWE-94` Code Injection
|
|
515
|
+
- `CWE-22` Path Traversal, `CWE-918` SSRF, `CWE-502` Deserialization
|
|
516
|
+
- `CWE-798` Hardcoded Credentials, `CWE-321` Hardcoded Crypto Key
|
|
517
|
+
- `CWE-862` Missing Authorization (IDOR), `CWE-915` Mass Assignment
|
|
518
|
+
- `CWE-200`/`CWE-209` Information Exposure, `CWE-532` Log Injection
|
|
519
|
+
- `CWE-362` Race Condition, `CWE-601` Open Redirect, `CWE-434` Unrestricted Upload
|
|
520
|
+
- `CWE-444` HTTP Smuggling, `CWE-1321` Prototype Pollution
|
|
521
|
+
- `CWE-327` Weak Crypto, `CWE-338` Weak PRNG, `CWE-1333` ReDoS
|
|
522
|
+
If unsure, use the closest parent CWE. Never omit this field.
|
|
523
|
+
|
|
510
524
|
### Pattern ID Prefixes
|
|
511
525
|
Use: `CMD_INJECT`, `CRED_THEFT`, `DATA_EXFIL`, `DESTRUCT`, `OBF`, `SANDBOX_ESC`, `SUPPLY_CHAIN`, `SOCIAL_ENG`, `PRIV_ESC`, `INFO_LEAK`, `CRYPTO_WEAK`, `DESER`, `PATH_TRAV`, `SEC_BYPASS`, `PERSIST`, `AI_PROMPT`, `CORR`, `MCP_POISON`, `MCP_INJECT`, `MCP_TRAVERSAL`, `MCP_SUPPLY`, `MCP_PERM`, `WORM`, `CICD`, `MANUAL`.
|
|
512
526
|
|