guardvibe 3.0.43 → 3.0.45
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -522,6 +522,12 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
522
522
|
// like "node": ">=6" are not dependency versions
|
|
523
523
|
if (rule.id === "VG020" && filePath && /(?:package-lock\.json|yarn\.lock|pnpm-lock\.yaml|npm-shrinkwrap\.json)$/.test(filePath))
|
|
524
524
|
continue;
|
|
525
|
+
// Skip all CVE version-pin rules (VG900-VG931) in lock files. The patterns are designed
|
|
526
|
+
// to match top-level dependency declarations in package.json. Lock files contain
|
|
527
|
+
// sub-package peer dependency ranges (e.g. "next": ">=13.2.0" from a transitive dep)
|
|
528
|
+
// which look like vulnerable pins but represent peer requirements, not installed versions.
|
|
529
|
+
if (filePath && /^VG9(?:0\d|1\d|2\d|3[01])$/.test(rule.id) && /(?:package-lock\.json|yarn\.lock|pnpm-lock\.yaml|npm-shrinkwrap\.json)$/.test(filePath))
|
|
530
|
+
continue;
|
|
525
531
|
// Skip VG430 (Supabase anon key on server) when file properly separates client/server
|
|
526
532
|
// or is a React Native/mobile client (anon key with AsyncStorage is correct pattern)
|
|
527
533
|
if (rule.id === "VG430") {
|
|
@@ -9,7 +9,10 @@ const TAINT_SOURCES = [
|
|
|
9
9
|
{ pattern: /(?:formData|searchParams)\.get\s*\(/g, type: "form-input" },
|
|
10
10
|
{ pattern: /(?:params|searchParams)\s*[\.\[]/g, type: "url-params" },
|
|
11
11
|
{ pattern: /(?:await\s+)?(?:request|req)\.(?:json|text|formData)\s*\(\)/g, type: "request-body" },
|
|
12
|
-
|
|
12
|
+
// Only treat new URL(...) as tainted when req/request appears in the FIRST argument (path).
|
|
13
|
+
// The second argument (base) only contributes the origin — when the first arg is a literal
|
|
14
|
+
// string like "/verified", the resolved path is fixed regardless of the base.
|
|
15
|
+
{ pattern: /new\s+URL\s*\(\s*[^,)]*?(?:req|request)/g, type: "url-input" },
|
|
13
16
|
{ pattern: /(?:event|e)\.(?:target|currentTarget)\.(?:value|textContent|innerHTML)/g, type: "dom-input" },
|
|
14
17
|
];
|
|
15
18
|
// Dangerous sinks (where tainted data causes damage)
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.45",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|