cognium-ai 2.25.2 → 2.25.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/scan.ts"],"names":[],"mappings":"AAAA;;;;GAIG;
|
|
1
|
+
{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/scan.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAeH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAM1C;;GAEG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAmLhE"}
|
|
@@ -4,7 +4,9 @@
|
|
|
4
4
|
* Runs continuous security scanning with OWASP Top 10 mapping.
|
|
5
5
|
*/
|
|
6
6
|
import * as fs from 'fs';
|
|
7
|
-
import { scanDirectory, formatScanReport, scanResultToSarif, getDefaultLLMConfig, validateLLMConfig,
|
|
7
|
+
import { scanDirectory, formatScanReport, scanResultToSarif, getDefaultLLMConfig, validateLLMConfig,
|
|
8
|
+
// cognium-ai#166 L1 — snapshot code-context truncation across the scan
|
|
9
|
+
resetTruncationCount, snapshotTruncationCount, } from 'circle-ir-ai';
|
|
8
10
|
import { getEffectiveOptions } from '../effective-options.js';
|
|
9
11
|
import { applyFindingsCap } from '../findings-cap.js';
|
|
10
12
|
import { enrichScanSarif } from '../formatters/scan-sarif-enrich.js';
|
|
@@ -83,13 +85,35 @@ export async function executeScan(args) {
|
|
|
83
85
|
},
|
|
84
86
|
};
|
|
85
87
|
try {
|
|
88
|
+
// cognium-ai#166 L1 — zero the process-wide truncation counter so
|
|
89
|
+
// the snapshot after the scan reflects only this run.
|
|
90
|
+
resetTruncationCount();
|
|
86
91
|
const rawResult = await scanDirectory(targetPath, options);
|
|
92
|
+
const truncationCount = snapshotTruncationCount();
|
|
93
|
+
// cognium-ai#166 L1 — always report truncation count in JSON output;
|
|
94
|
+
// WARN to stderr (unmuted by --quiet) when > 5. Truncation silently
|
|
95
|
+
// drops the tail of large methods so the LLM sees a partial view,
|
|
96
|
+
// biasing verification toward false negatives. A sweep with many
|
|
97
|
+
// truncations means the LLM never saw the sinks past the cut.
|
|
98
|
+
if (truncationCount > 5) {
|
|
99
|
+
console.error(`[warn] cognium-ai#166: ${truncationCount} code snippets exceeded MAX_CODE_CONTEXT_LENGTH and were truncated for the LLM. Findings past the cut were invisible to verification.`);
|
|
100
|
+
}
|
|
87
101
|
// #113 — per-(filePath, finding.type) cap. Applied AFTER the engine
|
|
88
102
|
// returns, BEFORE serialization, so it covers both the verified and
|
|
89
103
|
// unverified code paths in the engine's `runReport()`. Cap value
|
|
90
104
|
// 0 short-circuits (the helper returns the raw result unchanged).
|
|
91
105
|
const { result, stats: capStats } = applyFindingsCap(rawResult, eff.scan.maxFindingsPerFilePerType);
|
|
92
|
-
|
|
106
|
+
// #164 L1 — visibility for large-repo suppression.
|
|
107
|
+
// The cap silently drops findings on high-amplification files (e.g.
|
|
108
|
+
// redis/jedis facade classes: one bucket capped 769 findings to 5).
|
|
109
|
+
// Sweep harnesses run with `--quiet`, so the informational WARN
|
|
110
|
+
// below is muted — but a bulk-suppression event still deserves a
|
|
111
|
+
// stderr line so the operator can spot it in the log. Threshold:
|
|
112
|
+
// 100 suppressed findings across any number of buckets.
|
|
113
|
+
if (capStats.totalSuppressed > 100) {
|
|
114
|
+
console.error(`[warn] cognium-ai#164: cap=${capStats.cap} suppressed ${capStats.totalSuppressed} findings across ${capStats.bucketsOverflowed} (file,type) buckets (largest single bucket: ${capStats.largestBucketSuppressed}). Raise --max-findings-per-file-per-type to see them.`);
|
|
115
|
+
}
|
|
116
|
+
else if (!args.quiet && capStats.bucketsOverflowed > 0) {
|
|
93
117
|
console.error(`[#113] cap=${capStats.cap}: ${capStats.totalSuppressed} findings suppressed across ${capStats.bucketsOverflowed} (file,type) buckets (largest: ${capStats.largestBucketSuppressed}).`);
|
|
94
118
|
}
|
|
95
119
|
// Output results
|
|
@@ -103,6 +127,9 @@ export async function executeScan(args) {
|
|
|
103
127
|
...result,
|
|
104
128
|
totalFindings: result.summary.totalFindings,
|
|
105
129
|
cappingStats: capStats,
|
|
130
|
+
// cognium-ai#166 L1 — emit truncation count so triage tooling
|
|
131
|
+
// knows how many LLM calls saw a partial view of their method.
|
|
132
|
+
truncationCount,
|
|
106
133
|
};
|
|
107
134
|
const output = JSON.stringify(jsonResult, null, 2);
|
|
108
135
|
if (args.output) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../../src/cli/commands/scan.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB,
|
|
1
|
+
{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../../src/cli/commands/scan.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,OAAO,EACL,aAAa,EACb,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB;AACjB,uEAAuE;AACvE,oBAAoB,EACpB,uBAAuB,GAExB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AACrE,OAAO,EAAE,8BAA8B,EAAE,MAAM,uBAAuB,CAAC;AAEvE;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAa;IAC7C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAEnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,KAAK,CAAC,0BAA0B,UAAU,EAAE,CAAC,CAAC;QACtD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,2EAA2E;IAC3E,6EAA6E;IAC7E,IAAI,UAAU,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC;IAC7B,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,SAAS,GAAG,mBAAmB,EAAE,CAAC;QACxC,IAAI,CAAC;YACH,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAC7B,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,YAAY,UAAU,kCAAkC,CAAC,CAAC;gBACxE,OAAO,CAAC,KAAK,CAAC,gBAAgB,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,KAAK,QAAQ,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC;YAC9F,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,UAAU,GAAG,KAAK,CAAC;YACnB,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;gBAChB,OAAO,CAAC,KAAK,CAAC,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,qCAAqC,CAAC,CAAC;gBAC1H,OAAO,CAAC,KAAK,CAAC,YAAY,UAAU,kCAAkC,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,KAAK,CAAC,YAAY,UAAU,kCAAkC,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAED,2EAA2E;IAC3E,MAAM,GAAG,GAAG,mBAAmB,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;IAElD,mEAAmE;IACnE,qEAAqE;IACrE,iEAAiE;IACjE,MAAM,gBAAgB,GAAG,GAAG,CAAC,IAAI,CAAC,YAAY;QAC5C,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC;QAChD,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC;IAEhB,kEAAkE;IAClE,8DAA8D;IAC9D,kEAAkE;IAClE,mEAAmE;IACnE,+BAA+B;IAC/B,MAAM,cAAc,GAAG,MAAM,8BAA8B,CAAC,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAErF,MAAM,OAAO,GAAyB;QACpC,MAAM,EAAE,UAAU;QAClB,SAAS,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAA6B,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,CAAwB;QACrK,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;QAClE,SAAS,EAAE,UAAU;QACrB,mEAAmE;QACnE,kEAAkE;QAClE,gEAAgE;QAChE,eAAe,EAAE,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK;QACpD,OAAO,EAAE,CAAC,IAAI,CAAC,KAAK;QACpB,aAAa,EAAE,IAAI,CAAC,WAAW,GAAG,IAAI;QACtC,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,SAAS;QACpC,WAAW,EAAE,GAAG,CAAC,QAAQ;QACzB,eAAe,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;QACjE,eAAe,EAAE,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS;QAC3E,kEAAkE;QAClE,6DAA6D;QAC7D,iEAAiE;QACjE,cAAc,EAAE,cAA+C;QAC/D,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE;YAChD,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;gBACjC,OAAO,CAAC,KAAK,CAAC,IAAI,QAAQ,CAAC,cAAc,IAAI,QAAQ,CAAC,UAAU,KAAK,QAAQ,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC,CAAC;YACrG,CAAC;QACH,CAAC;KACF,CAAC;IAEF,IAAI,CAAC;QACH,kEAAkE;QAClE,sDAAsD;QACtD,oBAAoB,EAAE,CAAC;QAEvB,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAC3D,MAAM,eAAe,GAAG,uBAAuB,EAAE,CAAC;QAElD,qEAAqE;QACrE,oEAAoE;QACpE,kEAAkE;QAClE,iEAAiE;QACjE,8DAA8D;QAC9D,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,KAAK,CACX,0BAA0B,eAAe,uIAAuI,CACjL,CAAC;QACJ,CAAC;QAED,oEAAoE;QACpE,oEAAoE;QACpE,iEAAiE;QACjE,kEAAkE;QAClE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,gBAAgB,CAClD,SAAS,EACT,GAAG,CAAC,IAAI,CAAC,yBAAyB,CACnC,CAAC;QACF,mDAAmD;QACnD,oEAAoE;QACpE,oEAAoE;QACpE,gEAAgE;QAChE,iEAAiE;QACjE,iEAAiE;QACjE,wDAAwD;QACxD,IAAI,QAAQ,CAAC,eAAe,GAAG,GAAG,EAAE,CAAC;YACnC,OAAO,CAAC,KAAK,CACX,8BAA8B,QAAQ,CAAC,GAAG,eAAe,QAAQ,CAAC,eAAe,oBAAoB,QAAQ,CAAC,iBAAiB,gDAAgD,QAAQ,CAAC,uBAAuB,wDAAwD,CACxQ,CAAC;QACJ,CAAC;aAAM,IAAI,CAAC,IAAI,CAAC,KAAK,IAAI,QAAQ,CAAC,iBAAiB,GAAG,CAAC,EAAE,CAAC;YACzD,OAAO,CAAC,KAAK,CACX,cAAc,QAAQ,CAAC,GAAG,KAAK,QAAQ,CAAC,eAAe,+BAA+B,QAAQ,CAAC,iBAAiB,kCAAkC,QAAQ,CAAC,uBAAuB,IAAI,CACvL,CAAC;QACJ,CAAC;QAED,iBAAiB;QACjB,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;YAC3B,oEAAoE;YACpE,oEAAoE;YACpE,qCAAqC;YACrC,kEAAkE;YAClE,qDAAqD;YACrD,MAAM,UAAU,GAAG;gBACjB,GAAG,MAAM;gBACT,aAAa,EAAE,MAAM,CAAC,OAAO,CAAC,aAAa;gBAC3C,YAAY,EAAE,QAAQ;gBACtB,8DAA8D;gBAC9D,+DAA+D;gBAC/D,eAAe;aAChB,CAAC;YACF,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YACnD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBACtC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;oBAChB,OAAO,CAAC,KAAK,CAAC,qBAAqB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;gBACpD,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YACnC,4DAA4D;YAC5D,6DAA6D;YAC7D,yDAAyD;YACzD,MAAM,MAAM,GAAG,eAAe,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC;YAClE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBACtC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;oBAChB,OAAO,CAAC,KAAK,CAAC,2BAA2B,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC1D,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,iBAAiB;YACjB,MAAM,MAAM,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;YACxC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;gBAChB,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;gBACtC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;oBAChB,OAAO,CAAC,KAAK,CAAC,qBAAqB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;gBACpD,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QAED,gDAAgD;QAChD,IAAI,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChD,OAAO,CAAC,CAAC;QACX,CAAC;QAED,OAAO,CAAC,CAAC;IACX,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QACxE,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "cognium-ai",
|
|
3
|
-
"version": "2.25.
|
|
3
|
+
"version": "2.25.4",
|
|
4
4
|
"description": "AI-powered static analysis CLI with LLM-enhanced vulnerability detection",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -43,7 +43,7 @@
|
|
|
43
43
|
"dependencies": {
|
|
44
44
|
"@cognium/project-profile-detect": "^1.1.0",
|
|
45
45
|
"circle-ir": "3.139.0",
|
|
46
|
-
"circle-ir-ai": "^2.
|
|
46
|
+
"circle-ir-ai": "^2.29.0",
|
|
47
47
|
"commander": "^14.0.3",
|
|
48
48
|
"minimatch": "^10.2.5"
|
|
49
49
|
},
|