guardvibe 2.9.8 → 3.0.0

package/build/data/rules/cve-versions.js

@@ -42,7 +42,7 @@ export const cveVersionRules = [
         severity: "high",
         owasp: "A02:2025 Injection",
         description: "React versions before 18.3.1 contain known XSS vulnerabilities. React 16.x and 17.x have multiple unpatched security issues.",
-        pattern: /["']react["']\s*:\s*["'](?:\^|~|>=?)?\s*(?:15\.\d+\.\d+|16\.\d+\.\d+|17\.\d+\.\d+|18\.[0-2]\.\d+|18\.3\.0)["']/g,
+        pattern: /["']react["']\s*:\s*["'](?:\^|~|>=?)?\s*(?:15\.\d+\.\d+|16\.\d+\.\d+|17\.\d+\.\d+|18\.[0-1]\.\d+|18\.3\.0)["']/g,
         languages: ["json"],
         fix: "Upgrade React to 18.3.1 or later: npm install react@latest react-dom@latest",
         fixCode: '// package.json\n"react": "^18.3.1",\n"react-dom": "^18.3.1"',

package/build/tools/check-code.js

@@ -212,6 +212,8 @@ const LEGITIMATE_PREFIXED_PACKAGES = new Set([
     "fast-sha256", "fast-text-encoding",
     "svix",
     "cheerio",
+    "simple-plist", "simple-git", "simple-update-notifier", "simple-swizzle", "simple-concat",
+    "simple-html-tokenizer", "simple-ast",
 ]);
 function isLegitimatePackage(name) {
     return LEGITIMATE_PREFIXED_PACKAGES.has(name);
@@ -271,7 +273,8 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
     const isSqlSchemaFile = filePath ? /(?:schema|migration|seed|ddl|init).*\.sql$/i.test(filePath) : false;
     const isReactNative = /(?:react-native|from\s+['"]react-native['"]|from\s+['"]expo|import\s+.*\bexpo\b)/i.test(code);
     const codeHasTimingSafeEqual = /(?:timingSafeEqual|timing.?safe|constant.?time)/i.test(code);
-    const codeHasFilenameSanitization = /(?:\.replace\s*\(\s*\/\[?\^?[a-z0-9\\-_\]]*\]?\/?[gi]*\s*,|sanitize(?:File|Name|Path)|safeName|cleanName)/i.test(code);
+    const codeHasFilenameSanitization = /(?:\.replace\s*\(\s*\/\[?\^?[a-z0-9\\-_\]]*\]?\/?[gi]*\s*,|sanitize(?:File|Name|Path)|safeName|cleanName)/i.test(code) ||
+        /(?:Date\.now\(\)|timestamp|uuid|nanoid|crypto\.randomUUID)[\s\S]{0,80}?\.\s*(?:ext|split|pop)/i.test(code);
     const isPeerDeps = /["']peerDependencies["']/i.test(code);
     // Config: check custom auth function names from .guardviberc
     if (!codeHasAuthGuard && config.authFunctions && config.authFunctions.length > 0) {
@@ -434,23 +437,31 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // Skip CVE version rules in peerDependencies (ranges, not actual versions)
         if (isPeerDeps && rule.id === "VG903")
             continue;
-        // Skip VG140 (XXE) when file doesn't actually parse XML — just has XML-related imports
+        // Skip VG140 (XXE) when file doesn't actually parse XML or uses browser DOMParser
+        // Browser DOMParser with 'text/html' is safe by design — no external entity processing
         if (rule.id === "VG140") {
-            const hasXmlParsing = /(?:parseString|parseXml|xml2js|DOMParser|XMLParser)\s*\(/i.test(code);
+            const hasXmlParsing = /(?:parseString|parseXml|xml2js|xmldom|libxmljs|XMLParser)\s*\(/i.test(code);
             if (!hasXmlParsing)
                 continue;
+            // Browser DOMParser with text/html is inherently safe
+            const hasBrowserDomParser = /new\s+DOMParser\s*\(\s*\)[\s\S]{0,50}?['"]text\/html['"]/i.test(code);
+            if (hasBrowserDomParser && !hasXmlParsing)
+                continue;
         }
         // Skip VG020 (wildcard dependency version) in lock files — engine constraints
         // like "node": ">=6" are not dependency versions
         if (rule.id === "VG020" && filePath && /(?:package-lock\.json|yarn\.lock|pnpm-lock\.yaml|npm-shrinkwrap\.json)$/.test(filePath))
             continue;
         // Skip VG430 (Supabase anon key on server) when file properly separates client/server
-        // Pattern: file exports both a client (anon key) and server (service_role) function
+        // or is a React Native/mobile client (anon key with AsyncStorage is correct pattern)
         if (rule.id === "VG430") {
             const hasServiceRole = /(?:SUPABASE_SERVICE_ROLE|service_role|serviceRole)/i.test(code);
             const hasClientServer = /(?:createClient|createServerClient|createBrowserClient)/i.test(code) && hasServiceRole;
             if (hasClientServer)
                 continue;
+            const isMobileClient = isReactNative || /AsyncStorage/i.test(code) || /EXPO_PUBLIC_/i.test(code);
+            if (isMobileClient)
+                continue;
         }
         // Skip VG448 (Supabase RPC bypass RLS) when using service_role key (server-side)
         if (rule.id === "VG448" && /(?:SUPABASE_SERVICE_ROLE|service_role|createServerSupabaseClient|createServerClient)/i.test(code))

package/build/tools/scan-secrets.d.ts

@@ -1,10 +1,11 @@
 export interface SecretFinding {
     provider: string;
-    severity: "critical" | "high" | "medium";
+    severity: "critical" | "high" | "medium" | "low";
     file: string;
     line: number;
     match: string;
     fix: string;
+    gitStatus?: "ignored" | "tracked" | "unknown";
 }
 export declare function scanContent(content: string, filename: string): SecretFinding[];
 export declare function scanSecrets(path: string, recursive?: boolean, format?: "markdown" | "json"): string;

package/build/tools/scan-secrets.js

@@ -1,5 +1,6 @@
 import { existsSync, readdirSync, readFileSync, statSync } from "fs";
 import { basename, dirname, extname, join, relative, resolve } from "path";
+import { execFileSync } from "child_process";
 import { secretPatterns, calculateEntropy } from "../data/secret-patterns.js";
 import { loadConfig } from "../utils/config.js";
 const DEFAULT_SECRET_EXCLUDES = new Set(["node_modules", ".git", "build", "dist"]);
@@ -125,6 +126,29 @@ function isEnvCoveredByGitignore(envFile, gitignoreEntries) {
             content.includes(".env"));
     });
 }
+/**
+ * Check if a file is ignored by git (in .gitignore) and not tracked.
+ * Returns: "ignored" (safe), "tracked" (dangerous - committed secret), "unknown" (no git)
+ */
+function getGitProtectionStatus(filePath, gitRoot) {
+    if (!gitRoot)
+        return "unknown";
+    try {
+        // git check-ignore returns 0 if ignored, 1 if not ignored
+        execFileSync("git", ["check-ignore", "-q", filePath], { cwd: gitRoot, stdio: "pipe" });
+        return "ignored";
+    }
+    catch {
+        // Not ignored — check if it's actually tracked (committed)
+        try {
+            const result = execFileSync("git", ["ls-files", filePath], { cwd: gitRoot, encoding: "utf-8" });
+            return result.trim().length > 0 ? "tracked" : "ignored"; // untracked + not ignored = safe-ish
+        }
+        catch {
+            return "unknown";
+        }
+    }
+}
 export function scanSecrets(path, recursive = true, format = "markdown") {
     const targetPath = resolve(path);
     const filePaths = [];
@@ -158,6 +182,25 @@ export function scanSecrets(path, recursive = true, format = "markdown") {
             // Skip unreadable files.
         }
     }
+    // Enrich findings with git protection status
+    const gitRoot = findGitRoot(scanRoot);
+    const gitStatusCache = new Map();
+    for (const finding of allFindings) {
+        let status = gitStatusCache.get(finding.file);
+        if (status === undefined) {
+            status = getGitProtectionStatus(finding.file, gitRoot);
+            gitStatusCache.set(finding.file, status);
+        }
+        finding.gitStatus = status;
+        if (status === "ignored") {
+            // File is in .gitignore — secrets are local-only, not exposed
+            if (finding.severity === "critical")
+                finding.severity = "low";
+            else if (finding.severity === "high")
+                finding.severity = "low";
+            finding.fix = `✅ Protected: this file is in .gitignore and not committed to git. ${finding.fix.replace(/Rotate.*?\.|acilen.*?\./i, "").trim()}`;
+        }
+    }
     const envFiles = uniquePaths.filter((filePath) => basename(filePath).startsWith(".env"));
     for (const envFile of envFiles) {
         const gitignoreEntries = collectGitignoreEntries(dirname(envFile));
@@ -171,6 +214,7 @@ export function scanSecrets(path, recursive = true, format = "markdown") {
             line: 0,
             match: `${envName} is not listed in .gitignore`,
             fix: `Add '${envName}' or '.env*' to .gitignore immediately.`,
+            gitStatus: "tracked",
         });
     }
     if (format === "json") {
@@ -179,7 +223,7 @@ export function scanSecrets(path, recursive = true, format = "markdown") {
         const medCount = allFindings.length - critCount - highCount;
         return JSON.stringify({
             summary: { total: allFindings.length, critical: critCount, high: highCount, medium: medCount, blocked: critCount > 0 || highCount > 0 },
-            findings: allFindings.map(f => ({ provider: f.provider, severity: f.severity, file: f.file, line: f.line, match: f.match, fix: f.fix })),
+            findings: allFindings.map(f => ({ provider: f.provider, severity: f.severity, file: f.file, line: f.line, match: f.match, fix: f.fix, gitStatus: f.gitStatus })),
         });
     }
     const lines = [
@@ -195,7 +239,37 @@ export function scanSecrets(path, recursive = true, format = "markdown") {
         lines.push("", "---", "", "## Findings", "");
         const order = { critical: 0, high: 1, medium: 2 };
         allFindings.sort((left, right) => order[left.severity] - order[right.severity]);
-        for (const finding of allFindings) {
+        // Group findings by git status for clearer output
+        const tracked = allFindings.filter(f => f.gitStatus === "tracked");
+        const ignored = allFindings.filter(f => f.gitStatus === "ignored");
+        const unknown = allFindings.filter(f => f.gitStatus === "unknown");
+        if (tracked.length > 0) {
+            lines.push("## ⚠️ Exposed Secrets (committed to git)", "");
+            for (const finding of tracked) {
+                lines.push(`### [${finding.severity.toUpperCase()}] ${finding.provider}`, `**File:** ${finding.file}${finding.line > 0 ? `:${finding.line}` : ""}`, `**Match:** \`${finding.match}\``, `**Fix:** ${finding.fix}`, "");
+            }
+        }
+        if (ignored.length > 0) {
+            lines.push(`## ✅ Protected Secrets (${ignored.length} in .gitignore — local only)`, "");
+            lines.push("These files are in .gitignore and not committed. Secrets are safe.", "");
+            // Group by file for compact display
+            const byFile = new Map();
+            for (const f of ignored) {
+                const group = byFile.get(f.file) ?? [];
+                group.push(f);
+                byFile.set(f.file, group);
+            }
+            for (const [file, findings] of byFile) {
+                lines.push(`- **${basename(file)}**: ${findings.map(f => f.provider).join(", ")}`);
+            }
+            lines.push("");
+        }
+        // Show unknown-status findings same as exposed (no git protection confirmed)
+        const exposed = [...tracked, ...unknown];
+        if (exposed.length === 0 && tracked.length === 0) {
+            // Re-render exposed section header if only unknown findings
+        }
+        for (const finding of unknown) {
             lines.push(`### [${finding.severity.toUpperCase()}] ${finding.provider}`, `**File:** ${finding.file}${finding.line > 0 ? `:${finding.line}` : ""}`, `**Match:** \`${finding.match}\``, `**Fix:** ${finding.fix}`, "");
         }
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "2.9.8",
+  "version": "3.0.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 334 rules, 31 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",