npm - guardvibe - Versions diffs - 3.0.27 → 3.0.29 - Mend

guardvibe 3.0.27 → 3.0.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/build/data/rules/core.js +1 -1
package/build/tools/check-code.js +62 -0
package/package.json +1 -1

package/build/data/rules/core.js CHANGED Viewed

@@ -31,7 +31,7 @@ export const coreRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "API route handler without authentication middleware or auth check.",
-        pattern: /(?:app|router)\.(get|post|put|delete|patch)\s*\(\s*['"](?!(?:\/(?:api\/)?)?(?:health|status|ping|ready|live|metrics|public|favicon|robots|sitemap)\b)[^'"]*['"]\s*,\s*(?:async\s+)?\(?(?:req|request)/gi,
+        pattern: /(?:app|router)\.(get|post|put|delete|patch)\s*\(\s*['"](?!(?:\/(?:api\/)?)?(?:health|status|ping|ready|live|metrics|public|favicon|robots|sitemap)\b)[^'"]*['"]\s*,\s*(?:async\s+)?\(?\b(?:req|request)\b/gi,
         languages: ["javascript", "typescript"],
         fix: "Add authentication middleware before route handlers: app.get('/api/data', authMiddleware, handler). Use frameworks like Passport.js, Clerk, or Auth0.",
         fixCode: "// Add auth middleware before handler\napp.get('/api/data', authMiddleware, async (req, res) => {\n  // handler code\n});",

package/build/tools/check-code.js CHANGED Viewed

@@ -162,6 +162,16 @@ function hasAuthGuardPattern(code) {
     if (/await\s+(?:\w+\.)*\w*(?:auth|Auth|session|Session|permission|Permission|guard|Guard|verify|Verify|protect|Protect|check|Check|ensure|Ensure|require|Require|assert|Assert|authorize|Authorize)\w*\s*\(/i.test(code)) {
         return true;
     }
+    // Pattern 4: Express-style middleware function with auth-related name (sync, takes req/res/next).
+    // e.g. `function requireAuth(req, res, next)` or `const authMiddleware = (req, res, next) => {`
+    if (/(?:function\s+(?:require|auth|protect|verify|guard|ensure|check|assert|authorize)\w*\s*\(\s*req\b|(?:const|let)\s+(?:require|auth|protect|verify|guard|ensure|check|assert|authorize)\w*\s*=\s*(?:async\s+)?\(\s*req\b)/i.test(code)) {
+        return true;
+    }
+    // Pattern 5: middleware passed inline to express route registration.
+    // e.g. `app.get('/x', requireAuth, handler)` or `router.post('/y', authMiddleware, ...)`.
+    if (/(?:app|router)\.(?:get|post|put|delete|patch|all|use)\s*\([^,)]+,\s*(?:require|auth|protect|verify|guard|ensure|check|assert|authorize|isAuthenticated|isLoggedIn|hasPermission)\w*\s*[,\)]/i.test(code)) {
+        return true;
+    }
     return false;
 }
 /**
@@ -304,6 +314,20 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             continue;
         if (rule.id.startsWith("VG21") && !filePath && language !== "yaml")
             continue;
+        // Skip credential rules in test files — fixtures and assertions intentionally use fake values.
+        const isTestFile = filePath && /(?:\.(?:spec|test|e2e|stories)\.(?:ts|tsx|js|jsx|mjs|cjs)$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/)/i.test(filePath);
+        if (isTestFile && (rule.id === "VG001" || rule.id === "VG062"))
+            continue;
+        // Skip Expo-specific rule (VG708) when project is not an Expo app.
+        // The rule's regex incorrectly matches the literal strings "app.json"/"app.config.ts"
+        // appearing in unrelated configs (e.g. angular.json's tsConfig field).
+        if (rule.id === "VG708" && filePath) {
+            const fileName = filePath.split("/").pop() ?? "";
+            const isExpoConfigFile = /^app\.(json|config\.(js|ts|mjs|cjs))$/.test(fileName);
+            const importsExpo = /(?:from\s+['"]expo[\w-]*['"]|require\s*\(\s*['"]expo[\w-]*['"])/i.test(code);
+            if (!isExpoConfigFile && !importsExpo)
+                continue;
+        }
         // ── Context-aware rule skipping (pattern-agnostic) ──────────────
         const authRuleIds = new Set(["VG420", "VG952", "VG002", "VG402"]);
         const adminRoleRuleIds = new Set(["VG426", "VG957"]);
@@ -538,12 +562,45 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 if (isHumanReadableString(lines, lineNumber))
                     continue;
             }
+            // Skip credential rules when the variable name signals test/example/mock intent.
+            // e.g. `testingPassword`, `examplePassword`, `mockApiKey`, `placeholderSecret`.
+            if (rule.id === "VG001" || rule.id === "VG062") {
+                const matchedLine = lines[lineNumber - 1] ?? "";
+                if (/(?:^|\s|\b)(?:testing|example|mock|placeholder|sample|demo|fake|dummy|stub|fixture)[A-Z_]/.test(matchedLine))
+                    continue;
+            }
+            // Skip VG010 (SQL injection) on Angular HTTP service calls — http.get/post/etc.
+            // are HTTP client methods, not SQL. The existing pattern's `get` keyword catches them.
+            if (rule.id === "VG010") {
+                const matchedLine = lines[lineNumber - 1] ?? "";
+                const isHttpClientCall = /(?:this\.)?(?:http|httpClient|httpService|api|client)\.(?:get|post|put|delete|patch|head|options)\s*\(/i.test(matchedLine);
+                const importsHttpClient = /from\s+['"]@angular\/common\/http['"]/i.test(code) || /import\s+.*HttpClient/i.test(code);
+                const fileIsAngularService = filePath ? /\.(?:service|component|directive|pipe|guard|resolver|interceptor)\.ts$/i.test(filePath) : false;
+                if (isHttpClientCall && (importsHttpClient || fileIsAngularService))
+                    continue;
+                // Also skip when matched call has no SQL keyword anywhere on the line — covers fetch/axios template-literal URLs.
+                const hasSqlKeyword = /\b(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|JOIN|UNION|DROP|TRUNCATE|ALTER|CREATE\s+TABLE)\b/i.test(matchedLine);
+                const isFetchOrAxios = /(?:fetch|axios|got|ky|undici|request)\s*[.\(]|axios\.(?:get|post|put|delete|patch)/i.test(matchedLine);
+                if (isFetchOrAxios && !hasSqlKeyword)
+                    continue;
+            }
             // Skip supply chain rules for known legitimate packages
             if (["VG872", "VG873"].includes(rule.id)) {
                 const pkgMatch = /"([\w@/-]+)"/.exec(match[0]);
                 if (pkgMatch && isLegitimatePackage(pkgMatch[1]))
                     continue;
             }
+            // Skip VG863 for non-publishable apps. Signals that this is an application, not a library:
+            // no publishing fields (bin/exports/module/types), main does not point at a build dir,
+            // and start script runs a runtime/framework directly.
+            if (rule.id === "VG863") {
+                const hasPublishingFields = /"(?:bin|exports|module|types|typings)"\s*:/i.test(code);
+                const mainPointsToBuild = /"main"\s*:\s*"(?:dist|build|lib|out)\//i.test(code);
+                const runtimeNames = "node|nodemon|tsx|ts-node|next|nest|vite|remix|astro";
+                const startsAsApp = new RegExp('"start"\\s*:\\s*"(?:' + runtimeNames + ')\\b', "i").test(code);
+                if (!hasPublishingFields && !mainPointsToBuild && startsAsApp)
+                    continue;
+            }
             // Skip VG106 for non-secret variable names (TokenCount, tokenBalance, hashMap, etc.)
             if (rule.id === "VG106") {
                 const varName = match[0].split(/\s*(?:===|!==|==|!=)/)[0].trim();
@@ -649,6 +706,11 @@ function isDuplicatePair(a, b) {
     // Same rule name = same vulnerability
     if (a.rule.name === b.rule.name)
         return true;
+    // Both are SQL injection variants — VG010 (generic) and VG123 (template literal specific) overlap.
+    // VG123 is more specific so it should dominate. isMoreSpecific handles the prefix order.
+    const sqlInjectionRules = new Set(["VG010", "VG123"]);
+    if (sqlInjectionRules.has(a.rule.id) && sqlInjectionRules.has(b.rule.id))
+        return true;
     // Both are XSS/innerHTML related — the core VG012+VG408 duplicate case
     if (a.rule.name.includes("innerHTML") && b.rule.name.includes("innerHTML"))
         return true;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.27",
+  "version": "3.0.29",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",