guardvibe 3.1.11 → 3.1.13

package/build/tools/check-code.js

@@ -333,6 +333,13 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         while ((lit = literalUrlAssignRe.exec(code)) !== null)
             literalUrlVars.add(lit[1]);
     }
+    // jsforce SOQL skip signal for VG123. jsforce's `conn.query()` is SOQL
+    // (Salesforce's query language), not SQL — different injection semantics, and
+    // jsforce does not support parameterized queries. The documented practice is
+    // manual escape via a `sanitize*Soql*` helper. File-level boolean: cheaper
+    // than re-testing both regexes per match.
+    const fileIsJsforceWithSoqlSanitizer = /from\s+["']@?jsforce[\w@/-]*["']/i.test(code) &&
+        /sanitiz\w*Soql\w*/i.test(code);
     // Config: check custom auth function names from .guardviberc
     if (!codeHasAuthGuard && config.authFunctions && config.authFunctions.length > 0) {
         const customPattern = new RegExp(`(?:${config.authFunctions.join("|")})\\s*\\(`, "i");
@@ -363,7 +370,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         //   agent.get('/?q=' + sqlPayload) which match the regex but aren't database calls
         // - VG042/VG678: HTTP-response/security-header rules (tests don't serve to real users)
         const isTestFile = filePath && /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/)/i.test(filePath);
-        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG013", "VG014", "VG042", "VG130", "VG678", "VG955", "VG133", "VG1021", "VG409"].includes(rule.id))
+        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG012", "VG013", "VG014", "VG042", "VG130", "VG678", "VG955", "VG133", "VG1021", "VG409"].includes(rule.id))
             continue;
         // VG955 (Missing Pagination on List Endpoint): only fire on actual request-handling
         // surfaces — API routes, App Router `route.{ts,tsx}`, pages/api, or Server Actions.
@@ -877,6 +884,45 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 if (isServiceVerbCall && !hasSqlKeyword)
                     continue;
             }
+            // Skip XSS-family rules (VG012/VG408/VG042/VG852) when a lint-suppression
+            // comment for the corresponding rule sits within a small window around the
+            // matched line. Universal: biome `lint/security/noDangerouslySetInnerHtml`
+            // ignore (most JSX cases) or eslint `react/no-danger` disable. Window is
+            // ±3 lines because (a) the rule may fire on the comment line itself when
+            // its pattern matches the `dangerouslySetInnerHtml` substring inside the
+            // biome ignore directive, and (b) JSX attribute rules often fire 2-3 lines
+            // below a `{/* biome-ignore ... */}` placed above the opening tag. The
+            // suppression comment is the developer's explicit acceptance of the
+            // exception (almost always accompanied by a sanitization rationale).
+            if (["VG012", "VG408", "VG042", "VG852"].includes(rule.id)) {
+                const window = lines
+                    .slice(Math.max(0, lineNumber - 4), Math.min(lines.length, lineNumber + 3))
+                    .join("\n");
+                if (/biome-ignore\s+lint\/security\/noDangerouslySetInnerHtml\b/i.test(window))
+                    continue;
+                if (/eslint-disable(?:-next-line)?\b[^\n]{0,200}react\/no-danger\b/i.test(window))
+                    continue;
+            }
+            // Skip VG012 when the right-hand side is a hardcoded string literal with
+            // no interpolation. No user input can flow in; the markup is fully
+            // developer-controlled.
+            if (rule.id === "VG012") {
+                const matchedLine = lines[lineNumber - 1] ?? "";
+                if (/\.\w+\s*=\s*"[^"\n]*"\s*;?\s*$/.test(matchedLine) && /\.innerHTML\s*=/.test(matchedLine))
+                    continue;
+                if (/\.\w+\s*=\s*'[^'\n]*'\s*;?\s*$/.test(matchedLine) && /\.innerHTML\s*=/.test(matchedLine))
+                    continue;
+            }
+            // Skip VG010/VG123 (SQL injection family) on jsforce SOQL calls. SOQL has
+            // different injection semantics than SQL and jsforce does not support
+            // parameterized queries — the documented practice is manual escape via a
+            // `sanitize*Soql*` helper. File must import jsforce AND use a SOQL
+            // sanitizer — both required, so a jsforce file that forgets to escape
+            // still fires. Both VG010 and VG123 are listed because the dedup logic
+            // (isDuplicatePair) collapses them on the same line; without skipping
+            // both, VG010 just takes over when VG123 is suppressed.
+            if ((rule.id === "VG123" || rule.id === "VG010") && fileIsJsforceWithSoqlSanitizer)
+                continue;
             // Skip supply chain rules for known legitimate packages
             if (["VG872", "VG873"].includes(rule.id)) {
                 const pkgMatch = /"([\w@/-]+)"/.exec(match[0]);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.11",
+  "version": "3.1.13",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",