guardvibe 3.1.37 → 3.1.38

package/CHANGELOG.md

@@ -5,6 +5,17 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.1.38] - 2026-06-07
+
+### Fixed — false-positive precision, verified one rule at a time (no rule-count change, 438 / 36)
+Each claimed false positive was checked against the actual code in the real-world corpus; only genuine FP classes were narrowed, with an old-vs-new diff confirming zero true-positive loss (14 FPs removed corpus-wide, 0 TP lost).
+- **VG434** (Drizzle) retargeted from the *safe* `sql\`${value}\`` tag (which parameterizes interpolations) to the real injection vector — `sql.raw()` interpolated into an executed query. Renamed to "Drizzle sql.raw() Injection".
+- **VG514** (Docker Compose secret) no longer fires when the value is an env-var reference (`${VAR}` / `$VAR`); hardcoded literals still fire.
+- **VG001** (hardcoded credentials) skips kebab-case slug values under an uppercase-led enum/constant name (e.g. `UserMissingPassword = "missing-password"`) and values explicitly marked as mock/placeholder (e.g. `"MOCK_DAILY_API_KEY"`).
+- **VG139** (TLS verification disabled) is skipped in test files and no longer matches a `skipVerify = false` substring; real `rejectUnauthorized: false` in production code still fires (the prior "FP" claim was wrong — those are real vulnerabilities).
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.1.37] - 2026-06-07
 
 ### Added — taint + secret scanning on the `check` path (no rule-count change, 438 / 36)

package/build/data/rules/advanced-security.js

@@ -127,7 +127,7 @@ export const advancedSecurityRules = [
         severity: "critical",
         owasp: "A02:2025 Cryptographic Failures",
         description: "TLS certificate verification is disabled, allowing man-in-the-middle attacks. All HTTPS connections become insecure.",
-        pattern: /(?:NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*["']0["']|rejectUnauthorized\s*:\s*false|verify\s*=\s*False|InsecureSkipVerify\s*:\s*true)/gi,
+        pattern: /(?:NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*["']0["']|rejectUnauthorized\s*:\s*false|(?<![\w$])verify\s*=\s*False|InsecureSkipVerify\s*:\s*true)/gi,
         languages: ["javascript", "typescript", "python", "go"],
         fix: "Never disable TLS verification in production. Fix certificate issues instead.",
         fixCode: '// BAD: disables all TLS verification\n// process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";\n// const agent = new https.Agent({ rejectUnauthorized: false });\n\n// GOOD: fix the certificate issue\n// - Use valid certificates (Let\'s Encrypt)\n// - Add CA certificate to Node: --use-openssl-ca\n// - For self-signed dev certs: only disable in NODE_ENV=development',

package/build/data/rules/database.js

@@ -41,13 +41,13 @@ export const databaseRules = [
     },
     {
         id: "VG434",
-        name: "Drizzle Unsafe SQL Interpolation",
+        name: "Drizzle sql.raw() Injection",
         severity: "critical",
         owasp: "A03:2025 Injection",
-        description: "Drizzle sql tagged template with direct variable interpolation. Use sql.placeholder() for safe parameterization.",
-        pattern: /(?:db\.execute|db\.run|db\.get|db\.all)\s*\(\s*sql`[^`]*\$\{/g,
+        description: "sql.raw() interpolated into an executed Drizzle query bypasses parameter binding, enabling SQL injection. Drizzle's sql`${value}` tag binds interpolations safely — only sql.raw() escapes that.",
+        pattern: /(?:db\.execute|db\.run|db\.get|db\.all)\s*\(\s*sql`[^`]*\$\{\s*sql\.raw\b/g,
         languages: ["javascript", "typescript"],
-        fix: "Use sql.placeholder() for dynamic values in Drizzle queries.",
+        fix: "Avoid sql.raw() with dynamic input. Use bound ${value} interpolation, or restrict raw fragments to a hardcoded allowlist of column/table identifiers.",
         fixCode: 'import { sql } from "drizzle-orm";\n\nconst result = await db.execute(\n  sql`SELECT * FROM users WHERE id = ${sql.placeholder("id")}`,\n  { id: userId }\n);',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },

package/build/tools/check-code.js

@@ -451,7 +451,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         //   agent.get('/?q=' + sqlPayload) which match the regex but aren't database calls
         // - VG042/VG678: HTTP-response/security-header rules (tests don't serve to real users)
         const isTestFile = filePath && /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|_test\.go$|\/__tests__\/|\/__mocks__\/|\/tests?\/|\/cypress\/|\/playwright\/|\/dockertest\/|\/testutil\/|\/testhelpers?\/|\/testfixtures?\/)/i.test(filePath);
-        if (isTestFile && ["VG001", "VG003", "VG062", "VG010", "VG011", "VG012", "VG013", "VG014", "VG042", "VG100", "VG130", "VG678", "VG955", "VG133", "VG1021", "VG409", "VG148", "VG424", "VG137"].includes(rule.id))
+        if (isTestFile && ["VG001", "VG003", "VG062", "VG010", "VG011", "VG012", "VG013", "VG014", "VG042", "VG100", "VG130", "VG678", "VG955", "VG133", "VG1021", "VG409", "VG148", "VG424", "VG137", "VG139"].includes(rule.id))
             continue;
         // VG137 (Debug Endpoint Exposes System Information) also misfires on build/test config
         // files: a `<rootDir>/test/` mapper or a `/test` path string near `process.env` in
@@ -944,6 +944,24 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                     if (canonical(idValuePair[1]) === canonical(idValuePair[2]))
                         continue;
                 }
+                // Skip enum/constant members whose value is a kebab-case slug (lowercase words
+                // joined by hyphens, no digits) under an uppercase-led name — error codes like
+                // `UserMissingPassword = "missing-password"`. The uppercase-name requirement keeps a
+                // lowercase `password = "my-secret"` firing (only enum/const members get the pass).
+                // The value is captured with a flat (ReDoS-safe) char class, then validated by
+                // splitting on '-' rather than a nested-quantifier regex.
+                const slugPair = matchedLine.match(/\b([A-Za-z_][A-Za-z0-9_]*)\s*[:=]\s*["']([a-z][a-z-]*)["']/);
+                if (slugPair && /^[A-Z]/.test(slugPair[1])) {
+                    const parts = slugPair[2].split("-");
+                    const isKebabSlug = parts.length >= 2 && parts.every(p => p.length > 0 && /^[a-z]+$/.test(p));
+                    if (isKebabSlug)
+                        continue;
+                }
+                // Skip values explicitly marked as mock/placeholder — `DAILY_API_KEY = "MOCK_DAILY_API_KEY"`,
+                // `apiKey: "your-api-key-here"`. A value literally named as a placeholder is not a secret.
+                const valuePair = matchedLine.match(/[:=]\s*["']([^"'\n]{3,})["']/);
+                if (valuePair && /^(?:mock|example|sample|demo|fake|dummy|stub|placeholder|changeme|change-me|your[-_]|xxx|todo|replace[-_]?me)/i.test(valuePair[1]))
+                    continue;
                 // Skip SCREAMING_SNAKE error/status codes whose value is digits-only.
                 // e.g. `INVALID_PASSWORD = "5020"` — error code, not a credential.
                 if (/\b[A-Z][A-Z0-9_]*\s*=\s*["']\d+["']/.test(matchedLine))
@@ -958,6 +976,16 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                     && /^[A-Za-z][A-Za-z .,!?'’()-]*\s[A-Za-z .,!?'’()-]+$/.test(msgPair[2]))
                     continue;
             }
+            // VG514 (Docker Compose Hardcoded Secret): the match spans the `environment:` block,
+            // so the flagged secret VALUE is the last `KEY: value` in match[0]. When that value is
+            // an env-var reference (`${VAR}` / `$VAR`) it is NOT hardcoded — the canonical secure
+            // pattern (compose reads it from .env). Hardcoded literals (`POSTGRES_PASSWORD=magical`)
+            // still fire.
+            if (rule.id === "VG514") {
+                const secretVal = match[0].match(/(?:SECRET|PASSWORD|TOKEN|KEY|CREDENTIAL)\w*\s*[=:]\s*["']?([^"'\s]+)/i);
+                if (secretVal && /^\$\{?\w+\}?$/.test(secretVal[1]))
+                    continue;
+            }
             // VG1083 (JWT verification bypass): jwt.decode() is fine when used only to peek at a
             // token that is ALSO verified (decode-then-verify). Skip the decode branch when a real
             // signature verification exists in the file. (The none-algorithm branch always fires.)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.37",
+  "version": "3.1.38",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 438 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 67 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",