guardvibe 2.9.7 → 2.9.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/cli/scan.js +20 -16
- package/build/data/rules/cve-versions.js +1 -1
- package/build/tools/check-code.js +15 -4
- package/package.json +1 -1
package/build/cli/scan.js
CHANGED
|
@@ -34,7 +34,7 @@ export async function runScan() {
|
|
|
34
34
|
else {
|
|
35
35
|
console.log(result);
|
|
36
36
|
}
|
|
37
|
-
if (format !== "sarif") {
|
|
37
|
+
if (format !== "sarif" && flags["fail-on"]) {
|
|
38
38
|
const failOn = getStringFlag(flags, "fail-on") ?? "critical";
|
|
39
39
|
if (shouldFail(result, failOn))
|
|
40
40
|
process.exit(1);
|
|
@@ -67,7 +67,7 @@ export async function runDirectoryScan(targetPath, flags) {
|
|
|
67
67
|
: join(scanPath, ".guardvibe-baseline.json");
|
|
68
68
|
safeWriteOutput(baselineFile, result);
|
|
69
69
|
}
|
|
70
|
-
if (format !== "sarif") {
|
|
70
|
+
if (format !== "sarif" && flags["fail-on"]) {
|
|
71
71
|
const failOn = getStringFlag(flags, "fail-on") ?? "critical";
|
|
72
72
|
if (shouldFail(result, failOn))
|
|
73
73
|
process.exit(1);
|
|
@@ -150,17 +150,19 @@ export async function runDiffScan(base, flags) {
|
|
|
150
150
|
else {
|
|
151
151
|
console.log(result);
|
|
152
152
|
}
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
153
|
+
if (flags["fail-on"]) {
|
|
154
|
+
const failOn = getStringFlag(flags, "fail-on") ?? "critical";
|
|
155
|
+
if (failOn !== "none") {
|
|
156
|
+
const failLevels = {
|
|
157
|
+
low: ["critical", "high", "medium", "low"],
|
|
158
|
+
medium: ["critical", "high", "medium"],
|
|
159
|
+
high: ["critical", "high"],
|
|
160
|
+
critical: ["critical"],
|
|
161
|
+
};
|
|
162
|
+
const levels = failLevels[failOn] || failLevels.critical;
|
|
163
|
+
if (allFindings.some(f => levels.includes(f.severity)))
|
|
164
|
+
process.exit(1);
|
|
165
|
+
}
|
|
164
166
|
}
|
|
165
167
|
}
|
|
166
168
|
export async function runFileCheck(filePath, flags) {
|
|
@@ -196,9 +198,11 @@ export async function runFileCheck(filePath, flags) {
|
|
|
196
198
|
else {
|
|
197
199
|
console.log(result);
|
|
198
200
|
}
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
201
|
+
if (flags["fail-on"]) {
|
|
202
|
+
const failOn = getStringFlag(flags, "fail-on") ?? "critical";
|
|
203
|
+
if (shouldFail(result, failOn))
|
|
204
|
+
process.exit(1);
|
|
205
|
+
}
|
|
202
206
|
}
|
|
203
207
|
export async function handleScanCommand(args) {
|
|
204
208
|
const { flags, positional } = parseArgs(args);
|
|
@@ -42,7 +42,7 @@ export const cveVersionRules = [
|
|
|
42
42
|
severity: "high",
|
|
43
43
|
owasp: "A02:2025 Injection",
|
|
44
44
|
description: "React versions before 18.3.1 contain known XSS vulnerabilities. React 16.x and 17.x have multiple unpatched security issues.",
|
|
45
|
-
pattern: /["']react["']\s*:\s*["'](?:\^|~|>=?)?\s*(?:15\.\d+\.\d+|16\.\d+\.\d+|17\.\d+\.\d+|18\.[0-
|
|
45
|
+
pattern: /["']react["']\s*:\s*["'](?:\^|~|>=?)?\s*(?:15\.\d+\.\d+|16\.\d+\.\d+|17\.\d+\.\d+|18\.[0-1]\.\d+|18\.3\.0)["']/g,
|
|
46
46
|
languages: ["json"],
|
|
47
47
|
fix: "Upgrade React to 18.3.1 or later: npm install react@latest react-dom@latest",
|
|
48
48
|
fixCode: '// package.json\n"react": "^18.3.1",\n"react-dom": "^18.3.1"',
|
|
@@ -212,6 +212,8 @@ const LEGITIMATE_PREFIXED_PACKAGES = new Set([
|
|
|
212
212
|
"fast-sha256", "fast-text-encoding",
|
|
213
213
|
"svix",
|
|
214
214
|
"cheerio",
|
|
215
|
+
"simple-plist", "simple-git", "simple-update-notifier", "simple-swizzle", "simple-concat",
|
|
216
|
+
"simple-html-tokenizer", "simple-ast",
|
|
215
217
|
]);
|
|
216
218
|
function isLegitimatePackage(name) {
|
|
217
219
|
return LEGITIMATE_PREFIXED_PACKAGES.has(name);
|
|
@@ -271,7 +273,8 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
271
273
|
const isSqlSchemaFile = filePath ? /(?:schema|migration|seed|ddl|init).*\.sql$/i.test(filePath) : false;
|
|
272
274
|
const isReactNative = /(?:react-native|from\s+['"]react-native['"]|from\s+['"]expo|import\s+.*\bexpo\b)/i.test(code);
|
|
273
275
|
const codeHasTimingSafeEqual = /(?:timingSafeEqual|timing.?safe|constant.?time)/i.test(code);
|
|
274
|
-
const codeHasFilenameSanitization = /(?:\.replace\s*\(\s*\/\[?\^?[a-z0-9\\-_\]]*\]?\/?[gi]*\s*,|sanitize(?:File|Name|Path)|safeName|cleanName)/i.test(code)
|
|
276
|
+
const codeHasFilenameSanitization = /(?:\.replace\s*\(\s*\/\[?\^?[a-z0-9\\-_\]]*\]?\/?[gi]*\s*,|sanitize(?:File|Name|Path)|safeName|cleanName)/i.test(code) ||
|
|
277
|
+
/(?:Date\.now\(\)|timestamp|uuid|nanoid|crypto\.randomUUID)[\s\S]{0,80}?\.\s*(?:ext|split|pop)/i.test(code);
|
|
275
278
|
const isPeerDeps = /["']peerDependencies["']/i.test(code);
|
|
276
279
|
// Config: check custom auth function names from .guardviberc
|
|
277
280
|
if (!codeHasAuthGuard && config.authFunctions && config.authFunctions.length > 0) {
|
|
@@ -434,23 +437,31 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
434
437
|
// Skip CVE version rules in peerDependencies (ranges, not actual versions)
|
|
435
438
|
if (isPeerDeps && rule.id === "VG903")
|
|
436
439
|
continue;
|
|
437
|
-
// Skip VG140 (XXE) when file doesn't actually parse XML
|
|
440
|
+
// Skip VG140 (XXE) when file doesn't actually parse XML or uses browser DOMParser
|
|
441
|
+
// Browser DOMParser with 'text/html' is safe by design — no external entity processing
|
|
438
442
|
if (rule.id === "VG140") {
|
|
439
|
-
const hasXmlParsing = /(?:parseString|parseXml|xml2js|
|
|
443
|
+
const hasXmlParsing = /(?:parseString|parseXml|xml2js|xmldom|libxmljs|XMLParser)\s*\(/i.test(code);
|
|
440
444
|
if (!hasXmlParsing)
|
|
441
445
|
continue;
|
|
446
|
+
// Browser DOMParser with text/html is inherently safe
|
|
447
|
+
const hasBrowserDomParser = /new\s+DOMParser\s*\(\s*\)[\s\S]{0,50}?['"]text\/html['"]/i.test(code);
|
|
448
|
+
if (hasBrowserDomParser && !hasXmlParsing)
|
|
449
|
+
continue;
|
|
442
450
|
}
|
|
443
451
|
// Skip VG020 (wildcard dependency version) in lock files — engine constraints
|
|
444
452
|
// like "node": ">=6" are not dependency versions
|
|
445
453
|
if (rule.id === "VG020" && filePath && /(?:package-lock\.json|yarn\.lock|pnpm-lock\.yaml|npm-shrinkwrap\.json)$/.test(filePath))
|
|
446
454
|
continue;
|
|
447
455
|
// Skip VG430 (Supabase anon key on server) when file properly separates client/server
|
|
448
|
-
//
|
|
456
|
+
// or is a React Native/mobile client (anon key with AsyncStorage is correct pattern)
|
|
449
457
|
if (rule.id === "VG430") {
|
|
450
458
|
const hasServiceRole = /(?:SUPABASE_SERVICE_ROLE|service_role|serviceRole)/i.test(code);
|
|
451
459
|
const hasClientServer = /(?:createClient|createServerClient|createBrowserClient)/i.test(code) && hasServiceRole;
|
|
452
460
|
if (hasClientServer)
|
|
453
461
|
continue;
|
|
462
|
+
const isMobileClient = isReactNative || /AsyncStorage/i.test(code) || /EXPO_PUBLIC_/i.test(code);
|
|
463
|
+
if (isMobileClient)
|
|
464
|
+
continue;
|
|
454
465
|
}
|
|
455
466
|
// Skip VG448 (Supabase RPC bypass RLS) when using service_role key (server-side)
|
|
456
467
|
if (rule.id === "VG448" && /(?:SUPABASE_SERVICE_ROLE|service_role|createServerSupabaseClient|createServerClient)/i.test(code))
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "2.9.
|
|
3
|
+
"version": "2.9.9",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 334 rules, 31 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|