npm - guardvibe - Versions diffs - 3.0.51 → 3.0.52 - Mend

guardvibe 3.0.51 → 3.0.52

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/build/data/rules/core.js +2 -2
package/build/tools/check-code.js +27 -1
package/package.json +1 -1

package/build/data/rules/core.js CHANGED Viewed

@@ -7,7 +7,7 @@ export const coreRules = [
         severity: "critical",
         owasp: "A01:2025 Broken Access Control",
         description: "Hardcoded passwords, API keys, or secrets detected in source code.",
-        pattern: /(?:secret_?key|api_?key|api_?secret|private_?key|access_?key|password|passwd|pwd|auth_?token|jwt_?secret|app_?secret|master_?key|signing_?key|encryption_?key)\w*\s*[:=]\s*['"][^'"]{3,}['"]/gi,
+        pattern: /(?:secret_?key|api_?key|api_?secret|private_?key|access_?key|password|passwd|pwd|auth_?token|jwt_?secret|app_?secret|master_?key|signing_?key|encryption_?key)\w*\s*[:=]\s*['"][^'"\n]{3,}['"]/gi,
         languages: ["javascript", "typescript", "python", "go"],
         fix: "Use environment variables (process.env.SECRET) or a secrets manager. Never commit credentials to source code.",
         fixCode: "// Use environment variables instead\nconst password = process.env.DB_PASSWORD;\nconst apiKey = process.env.API_KEY;",
@@ -212,7 +212,7 @@ export const coreRules = [
         severity: "critical",
         owasp: "A07:2025 Auth Failures",
         description: "Variable named secret, password, or apiKey assigned a string literal. Secrets should come from environment variables or a secrets manager, never hardcoded in source.",
-        pattern: /(?:(?:const|let|var|export)\s+)?(?:secret|password|passwd|apiKey|api_key|privateKey|private_key|signingKey|signing_key|encryptionKey|encryption_key|masterKey|master_key|dbPassword|db_password)\s*(?::\s*string\s*)?=\s*["'][^"']{8,}["']/gi,
+        pattern: /(?:(?:const|let|var|export)\s+)?(?:secret|password|passwd|apiKey|api_key|privateKey|private_key|signingKey|signing_key|encryptionKey|encryption_key|masterKey|master_key|dbPassword|db_password)\s*(?::\s*string\s*)?=\s*["'][^"'\n]{8,}["']/gi,
         languages: ["javascript", "typescript", "python"],
         fix: "Use environment variables: const secret = process.env.MY_SECRET. Never hardcode secrets in source code.",
         fixCode: "// Use environment variables\nconst secret = process.env.JWT_SECRET;\nconst apiKey = process.env.API_KEY;\n\n// In .env.local (never commit this file)\nJWT_SECRET=your-secret-here",

package/build/tools/check-code.js CHANGED Viewed

@@ -648,6 +648,11 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             if (rule.id === "VG001" || rule.id === "VG062") {
                 if (isHumanReadableString(lines, lineNumber))
                     continue;
+                // Translation/locale files and event-tracker key maps are not credential stores —
+                // values are UI strings (`password: "Heslo"`) or analytics event names
+                // (`forgot_password: "forgot_password_clicked"`).
+                if (filePath && /(?:\/i18n\/|\/locales?\/|\/translations?\/|\/event[-_]tracker\/|\/analytics\/events\/|\/messages\/[a-z]{2}(?:[-_][A-Z]{2})?\.[jt]sx?$)/i.test(filePath))
+                    continue;
             }
             // Skip credential rules when the variable name signals test/example/mock intent.
             // e.g. `testingPassword`, `examplePassword`, `mockApiKey`, `placeholderSecret`.
@@ -655,6 +660,15 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 const matchedLine = lines[lineNumber - 1] ?? "";
                 if (/(?:^|\s|\b)(?:testing|example|mock|placeholder|sample|demo|fake|dummy|stub|fixture)[A-Z_]/.test(matchedLine))
                     continue;
+                // Skip TypeScript string-enum stringification: `INLINE_PASSWORD = "INLINE_PASSWORD"`.
+                // No real credential has identical name and value — canonical TS enum-key pattern.
+                // Covers both SCREAMING_SNAKE (TS string enums) and snake_case (event-tracker key maps).
+                if (/\b([A-Za-z_][A-Za-z0-9_]*)\s*[:=]\s*["']\1["']/.test(matchedLine))
+                    continue;
+                // Skip SCREAMING_SNAKE error/status codes whose value is digits-only.
+                // e.g. `INVALID_PASSWORD = "5020"` — error code, not a credential.
+                if (/\b[A-Z][A-Z0-9_]*\s*=\s*["']\d+["']/.test(matchedLine))
+                    continue;
             }
             // Skip VG010 (SQL injection) on Angular HTTP service calls — http.get/post/etc.
             // are HTTP client methods, not SQL. The existing pattern's `get` keyword catches them.
@@ -667,9 +681,21 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                     continue;
                 // Also skip when matched call has no SQL keyword anywhere on the line — covers fetch/axios template-literal URLs.
                 const hasSqlKeyword = /\b(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|JOIN|UNION|DROP|TRUNCATE|ALTER|CREATE\s+TABLE)\b/i.test(matchedLine);
-                const isFetchOrAxios = /(?:fetch|axios|got|ky|undici|request)\s*[.\(]|axios\.(?:get|post|put|delete|patch)/i.test(matchedLine);
+                // Python `requests.get/post` and `requests.request(...)` are HTTP, not SQL.
+                const isFetchOrAxios = /(?:fetch|axios|got|ky|undici|requests?)\s*[.\(]|axios\.(?:get|post|put|delete|patch)/i.test(matchedLine);
                 if (isFetchOrAxios && !hasSqlKeyword)
                     continue;
+                // Skip when the first call argument is a URL path (starts with `/`) and no SQL keyword is on the line.
+                // Covers service-class HTTP wrappers like `this.get(`/api/...${id}/...`)` where the receiver
+                // isn't named http/api/client. SQL queries never start with `/`; URL paths always do.
+                const firstArgIsUrlPath = /\(\s*[`'"]\s*\/[a-zA-Z0-9_\-/{}$]/.test(matchedLine);
+                if (firstArgIsUrlPath && !hasSqlKeyword)
+                    continue;
+                // Service-class HTTP wrapper: `this.get/post/...` with first arg starting from a URL-base var
+                // like `${this.basePath}/...` or `${apiUrl}/...`. SQL queries don't use `this.<verb>` style.
+                const isServiceVerbCall = /(?:^|[\s=])(?:return\s+|await\s+)?this\.(?:get|post|put|delete|patch|head|options|fetch|request)\s*\(/i.test(matchedLine);
+                if (isServiceVerbCall && !hasSqlKeyword)
+                    continue;
             }
             // Skip supply chain rules for known legitimate packages
             if (["VG872", "VG873"].includes(rule.id)) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.51",
+  "version": "3.0.52",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",