agentaudit 3.9.46 → 3.9.48
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cli.mjs +4 -5
- package/package.json +1 -1
- package/prompts/audit-prompt.md +14 -0
package/cli.mjs
CHANGED
|
@@ -2630,8 +2630,7 @@ async function main() {
|
|
|
2630
2630
|
}
|
|
2631
2631
|
|
|
2632
2632
|
if (hadErrors && results.length === 0) { process.exitCode = 2; return; }
|
|
2633
|
-
|
|
2634
|
-
process.exitCode = totalFindings > 0 ? 1 : 0;
|
|
2633
|
+
process.exitCode = 0;
|
|
2635
2634
|
return;
|
|
2636
2635
|
}
|
|
2637
2636
|
|
|
@@ -2644,12 +2643,12 @@ async function main() {
|
|
|
2644
2643
|
return;
|
|
2645
2644
|
}
|
|
2646
2645
|
|
|
2647
|
-
let
|
|
2646
|
+
let hasErrors = false;
|
|
2648
2647
|
for (const url of urls) {
|
|
2649
2648
|
const report = await auditRepo(url);
|
|
2650
|
-
if (report
|
|
2649
|
+
if (!report) hasErrors = true;
|
|
2651
2650
|
}
|
|
2652
|
-
process.exitCode =
|
|
2651
|
+
process.exitCode = hasErrors ? 2 : 0;
|
|
2653
2652
|
return;
|
|
2654
2653
|
}
|
|
2655
2654
|
|
package/package.json
CHANGED
package/prompts/audit-prompt.md
CHANGED
|
@@ -472,6 +472,7 @@ To find source_url: check `package.json` → `repository.url`, `_meta.json` →
|
|
|
472
472
|
{
|
|
473
473
|
"severity": "high",
|
|
474
474
|
"pattern_id": "CMD_INJECT_001",
|
|
475
|
+
"cwe_id": "CWE-78",
|
|
475
476
|
"title": "Unescaped user input passed to exec()",
|
|
476
477
|
"description": "User-controlled input from HTTP body is passed directly to exec() without sanitization.",
|
|
477
478
|
"file": "src/runner.js",
|
|
@@ -507,6 +508,19 @@ To find source_url: check `package.json` → `repository.url`, `_meta.json` →
|
|
|
507
508
|
### Version Tracking (Optional — Backend Auto-Enrichment)
|
|
508
509
|
Backend auto-extracts: `commit_sha`, `content_hash`, `package_version`. Per-finding `file_hash` (SHA-256) is recommended for staleness detection.
|
|
509
510
|
|
|
511
|
+
### CWE ID (Required)
|
|
512
|
+
Every finding MUST include a `cwe_id` field with the most specific applicable CWE identifier.
|
|
513
|
+
Common CWEs for MCP/package security:
|
|
514
|
+
- `CWE-78` Command Injection, `CWE-79` XSS, `CWE-89` SQL Injection, `CWE-94` Code Injection
|
|
515
|
+
- `CWE-22` Path Traversal, `CWE-918` SSRF, `CWE-502` Deserialization
|
|
516
|
+
- `CWE-798` Hardcoded Credentials, `CWE-321` Hardcoded Crypto Key
|
|
517
|
+
- `CWE-862` Missing Authorization (IDOR), `CWE-915` Mass Assignment
|
|
518
|
+
- `CWE-200`/`CWE-209` Information Exposure, `CWE-532` Log Injection
|
|
519
|
+
- `CWE-362` Race Condition, `CWE-601` Open Redirect, `CWE-434` Unrestricted Upload
|
|
520
|
+
- `CWE-444` HTTP Smuggling, `CWE-1321` Prototype Pollution
|
|
521
|
+
- `CWE-327` Weak Crypto, `CWE-338` Weak PRNG, `CWE-1333` ReDoS
|
|
522
|
+
If unsure, use the closest parent CWE. Never omit this field.
|
|
523
|
+
|
|
510
524
|
### Pattern ID Prefixes
|
|
511
525
|
Use: `CMD_INJECT`, `CRED_THEFT`, `DATA_EXFIL`, `DESTRUCT`, `OBF`, `SANDBOX_ESC`, `SUPPLY_CHAIN`, `SOCIAL_ENG`, `PRIV_ESC`, `INFO_LEAK`, `CRYPTO_WEAK`, `DESER`, `PATH_TRAV`, `SEC_BYPASS`, `PERSIST`, `AI_PROMPT`, `CORR`, `MCP_POISON`, `MCP_INJECT`, `MCP_TRAVERSAL`, `MCP_SUPPLY`, `MCP_PERM`, `WORM`, `CICD`, `MANUAL`.
|
|
512
526
|
|