vaspera 2.12.0 → 2.13.0

package/dist/index.js

@@ -56,6 +56,8 @@ import { validateProjectPath, PathValidationError } from "./util/paths.js";
 // Telemetry and scan registry
 import { trackCertificationStarted, trackCertificationCompleted, trackScannerRun, } from "./telemetry/usage.js";
 import { getRegistry } from "./telemetry/registry.js";
+// False positive feedback
+import { submitFeedback, generateFeedbackReport, getSuppressionSuggestions, FP_REASON_DESCRIPTIONS, } from "./scanners/fp-feedback.js";
 // ---------------------------------------------------------------------------
 // Config
 // ---------------------------------------------------------------------------
@@ -871,6 +873,64 @@ server.registerTool("certification_scan", {
     };
 });
 // ---------------------------------------------------------------------------
+// Tool: Diff-Aware Scanning (CI Integration)
+// ---------------------------------------------------------------------------
+server.registerTool("certification_scan_diff", {
+    title: "Diff-Aware Certification Scan",
+    description: `Scan only changed files for faster CI/PR workflows.
+
+Uses \`git diff\` to detect files changed since a base commit (e.g., origin/main).
+Reduces scan time by 50-90% in typical PR scenarios.
+
+**Security-critical files** (auth, middleware, API routes) are always included
+regardless of changes when \`always_scan_security\` is true.`,
+    inputSchema: {
+        project_path: z.string().describe("Absolute path to the project root"),
+        base_sha: z.string().optional().describe("Base SHA for comparison (default: origin/main)"),
+        head_sha: z.string().optional().describe("Head SHA to compare (default: HEAD)"),
+        always_scan_security: z.boolean().optional().default(true).describe("Always include security-critical files"),
+        exclude: z.array(z.string()).optional().describe("Regex patterns to exclude from scanning"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, base_sha, head_sha, always_scan_security, exclude }) => {
+    const { configureIncrementalScan } = await import("./action/diff-mode.js");
+    const result = await configureIncrementalScan({
+        projectPath: project_path,
+        baseSha: base_sha,
+        headSha: head_sha,
+        alwaysScanSecurityFiles: always_scan_security,
+        exclude,
+    });
+    const fileList = result.filesToScan.map((f) => f.path);
+    const securityFiles = fileList.filter((f) => f.includes("auth") ||
+        f.includes("security") ||
+        f.includes("middleware") ||
+        f.includes("api/"));
+    return jsonResponse({
+        isIncremental: result.isIncremental,
+        filesToScan: fileList,
+        fileCount: fileList.length,
+        securityFileCount: securityFiles.length,
+        removedFiles: result.removedFiles,
+        estimatedSavings: `${result.estimatedSavingsPercent}%`,
+        diff: {
+            baseSha: result.diff.baseSha,
+            headSha: result.diff.headSha,
+            additions: result.diff.additions,
+            deletions: result.diff.deletions,
+            changedFilesTotal: result.diff.changedFiles.length,
+        },
+        note: result.isIncremental
+            ? `Scanning ${fileList.length} changed files (${result.estimatedSavingsPercent}% reduction)`
+            : "Full scan recommended (diff detection failed or no changes)",
+    });
+});
+// ---------------------------------------------------------------------------
 // Tool: Check Scanner Availability
 // ---------------------------------------------------------------------------
 server.registerTool("certification_scanners_available", {
@@ -1789,11 +1849,17 @@ server.registerTool("certification_dashboard", {
 // ---------------------------------------------------------------------------
 server.registerTool("autofix_preview", {
     title: "Preview Auto-Fix for Finding",
-    description: `Preview an automatic fix for a certification finding without applying it. Returns the before/after diff.`,
+    description: `Preview an automatic fix without applying it. Can be used two ways:
+1. With certification_id + finding_id to preview a fix from a certification scan
+2. Standalone with file + pattern_id to preview a fix without running a full scan first`,
     inputSchema: {
         project_path: z.string().describe("Absolute path to the project root"),
-        certification_id: z.string().describe("Certification ID"),
-        finding_id: z.string().describe("Finding ID to preview fix for"),
+        certification_id: z.string().optional().describe("Certification ID (optional if using standalone mode)"),
+        finding_id: z.string().optional().describe("Finding ID to preview fix for (required with certification_id)"),
+        file: z.string().optional().describe("File path relative to project root (standalone mode)"),
+        line: z.number().optional().describe("Line number where the issue is located (standalone mode)"),
+        pattern_id: z.string().optional().describe("Pattern ID to apply (e.g., 'perf-async-foreach', 'sec-hardcoded-secret'). Use autofix_list_patterns to see available patterns."),
+        category: z.string().optional().describe("Finding category (alternative to pattern_id, e.g., 'async-foreach', 'hardcoded')"),
     },
     annotations: {
         readOnlyHint: true,
@@ -1801,24 +1867,51 @@ server.registerTool("autofix_preview", {
         idempotentHint: true,
         openWorldHint: false,
     },
-}, async ({ project_path, certification_id, finding_id }) => {
-    const certification = await getCertification(project_path, certification_id);
-    if (!certification) {
-        return errorResponse(`Certification ${certification_id} not found`);
-    }
-    // Find the finding
+}, async ({ project_path, certification_id, finding_id, file, line, pattern_id, category }) => {
     let finding = null;
-    for (const agentData of Object.values(certification.agents)) {
-        if (agentData) {
-            finding = agentData.findings.find((f) => f.id === finding_id);
-            if (finding)
-                break;
+    if (certification_id && finding_id) {
+        const certification = await getCertification(project_path, certification_id);
+        if (!certification) {
+            return errorResponse(`Certification ${certification_id} not found`);
+        }
+        for (const agentData of Object.values(certification.agents)) {
+            if (agentData) {
+                finding = agentData.findings.find((f) => f.id === finding_id) || null;
+                if (finding)
+                    break;
+            }
+        }
+        if (!finding) {
+            return errorResponse(`Finding ${finding_id} not found`);
         }
     }
-    if (!finding) {
-        return errorResponse(`Finding ${finding_id} not found`);
+    else if (file) {
+        if (!pattern_id && !category) {
+            return errorResponse("Standalone mode requires either pattern_id or category. Use autofix_list_patterns to see available patterns.");
+        }
+        finding = {
+            id: pattern_id || `standalone-${category || "unknown"}`,
+            severity: "medium",
+            category: category || pattern_id || "unknown",
+            file,
+            line: line || 1,
+            description: "Standalone autofix preview",
+            evidence: "",
+            confidence: 100,
+            verifications: [],
+            created_at: new Date().toISOString(),
+        };
+    }
+    else {
+        return errorResponse("Provide either (certification_id + finding_id) or (file + pattern_id/category) for standalone mode.");
     }
     const preview = await previewFix(project_path, finding);
+    if (!preview.canAutoFix && !certification_id) {
+        return jsonResponse({
+            ...preview,
+            hint: "No matching pattern found. Use autofix_list_patterns to see available fix patterns and their IDs.",
+        });
+    }
     return jsonResponse({ ...preview });
 });
 // ---------------------------------------------------------------------------
@@ -6094,6 +6187,193 @@ server.registerTool("ai_code_hallucinations", {
     }
 });
 // ---------------------------------------------------------------------------
+// False Positive Feedback Tools
+// ---------------------------------------------------------------------------
+server.registerTool("feedback_submit", {
+    description: "Submit feedback marking a finding as true positive (TP) or false positive (FP). Helps improve scanner accuracy over time.",
+    inputSchema: {
+        project_path: z.string().describe("Path to the project"),
+        scanner: z.enum([
+            "semgrep", "npm-audit", "gitleaks", "tsc", "eslint",
+            "bandit", "gosec", "brakeman", "trivy", "binary-analysis",
+            "memory-safety", "race-condition", "healthcare", "logic",
+            "dast", "zap", "nuclei", "terraform", "tfsec", "checkov",
+            "openapi", "spectral", "rust", "cargo-audit", "clippy",
+            "detection", "plugin"
+        ]).describe("Scanner that generated the finding"),
+        rule_id: z.string().describe("Rule ID (e.g., 'semgrep:owasp.sql-injection')"),
+        file: z.string().describe("File path where the finding was reported"),
+        line: z.number().optional().describe("Line number of the finding"),
+        verdict: z.enum(["tp", "fp"]).describe("Your verdict: 'tp' for true positive, 'fp' for false positive"),
+        reason: z.enum([
+            "test-code", "false-pattern-match", "sanitized-elsewhere",
+            "intentional", "vendor-code", "generated-code",
+            "example-code", "configuration", "other"
+        ]).optional().describe("Reason for marking as FP (required if verdict is 'fp')"),
+        details: z.string().optional().describe("Additional context or notes"),
+    },
+    annotations: {
+        readOnlyHint: false,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, scanner, rule_id, file, line, verdict, reason, details }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const finding = {
+            scanner: scanner,
+            ruleId: rule_id,
+            file,
+            line: line ?? 0,
+            message: "",
+            severity: "medium",
+            confidence: 100,
+        };
+        const entry = await submitFeedback(validatedPath, finding, verdict, {
+            reason: reason,
+            details,
+        });
+        return jsonResponse({
+            success: true,
+            feedbackId: entry.id,
+            scanner: entry.scanner,
+            ruleId: entry.ruleId,
+            file: entry.file,
+            verdict: entry.verdict,
+            reason: entry.reason,
+            submittedAt: entry.submittedAt,
+            message: verdict === "fp"
+                ? `Marked as false positive. Reason: ${FP_REASON_DESCRIPTIONS[reason] || reason}`
+                : "Marked as true positive. This helps confirm the finding is valid.",
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(`Path validation failed: ${error.message}`);
+        }
+        return errorResponse(error instanceof Error ? error.message : String(error));
+    }
+});
+server.registerTool("feedback_report", {
+    description: "Generate a report of all feedback submitted for a project, including FP rates by scanner and top FP reasons.",
+    inputSchema: {
+        project_path: z.string().describe("Path to the project"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const report = await generateFeedbackReport(validatedPath);
+        return jsonResponse({
+            overview: {
+                totalFeedback: report.overview.totalFeedback,
+                truePositives: report.overview.tpCount,
+                falsePositives: report.overview.fpCount,
+                overallFPRate: `${(report.overview.overallFPRate * 100).toFixed(1)}%`,
+            },
+            byScanner: report.byScanner.map((s) => ({
+                scanner: s.scanner,
+                total: s.total,
+                tp: s.tp,
+                fp: s.fp,
+                fpRate: `${(s.fpRate * 100).toFixed(1)}%`,
+            })),
+            topFPReasons: report.topFPReasons.map((r) => ({
+                reason: r.reason,
+                description: FP_REASON_DESCRIPTIONS[r.reason],
+                count: r.count,
+                percentage: `${r.percentage.toFixed(1)}%`,
+            })),
+            recentFeedback: report.recentFeedback.slice(0, 5).map((f) => ({
+                scanner: f.scanner,
+                ruleId: f.ruleId,
+                file: f.file,
+                verdict: f.verdict,
+                reason: f.reason,
+                submittedAt: f.submittedAt,
+            })),
+            suppressionSuggestions: report.suppressionSuggestions.length,
+            message: report.overview.totalFeedback === 0
+                ? "No feedback submitted yet. Use feedback_submit to mark findings as TP or FP."
+                : `Analyzed ${report.overview.totalFeedback} feedback entries. FP rate: ${(report.overview.overallFPRate * 100).toFixed(1)}%`,
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(`Path validation failed: ${error.message}`);
+        }
+        return errorResponse(error instanceof Error ? error.message : String(error));
+    }
+});
+server.registerTool("feedback_suppressions", {
+    description: "Get suggestions for rules to disable based on accumulated false positive feedback. Rules with >50% FP rate (min 5 samples) are flagged.",
+    inputSchema: {
+        project_path: z.string().describe("Path to the project"),
+        min_fp_rate: z.number().min(0).max(1).optional().default(0.5).describe("Minimum FP rate to suggest suppression (0.0-1.0, default: 0.5)"),
+        min_sample_size: z.number().min(1).optional().default(5).describe("Minimum number of feedback entries required (default: 5)"),
+    },
+    annotations: {
+        readOnlyHint: true,
+        destructiveHint: false,
+        idempotentHint: true,
+        openWorldHint: false,
+    },
+}, async ({ project_path, min_fp_rate, min_sample_size }) => {
+    try {
+        const validatedPath = await validateProjectPath(project_path);
+        const suggestions = await getSuppressionSuggestions(validatedPath, {
+            minFPRate: min_fp_rate,
+            minSampleSize: min_sample_size,
+        });
+        if (suggestions.length === 0) {
+            return jsonResponse({
+                suggestions: [],
+                message: "No rules meet the criteria for suppression. Either not enough feedback or FP rates are acceptable.",
+                criteria: {
+                    minFPRate: `${(min_fp_rate ?? 0.5) * 100}%`,
+                    minSampleSize: min_sample_size ?? 5,
+                },
+            });
+        }
+        return jsonResponse({
+            suggestions: suggestions.map((s) => ({
+                scanner: s.scanner,
+                ruleId: s.ruleId,
+                fpRate: `${(s.fpRate * 100).toFixed(1)}%`,
+                sampleSize: s.sampleSize,
+                recommendation: s.suggestion,
+                recommendationText: s.suggestion === "disable"
+                    ? "High FP rate (≥80%) - consider disabling this rule"
+                    : s.suggestion === "review"
+                        ? "Moderate FP rate (≥50%) - review rule configuration"
+                        : "FP rate acceptable - keep rule enabled",
+                commonReasons: s.commonReasons.map((r) => ({
+                    reason: r,
+                    description: FP_REASON_DESCRIPTIONS[r],
+                })),
+            })),
+            summary: {
+                totalSuggestions: suggestions.length,
+                disableRecommendations: suggestions.filter((s) => s.suggestion === "disable").length,
+                reviewRecommendations: suggestions.filter((s) => s.suggestion === "review").length,
+            },
+            message: `Found ${suggestions.length} rule(s) with high false positive rates based on your feedback.`,
+        });
+    }
+    catch (error) {
+        if (error instanceof PathValidationError) {
+            return errorResponse(`Path validation failed: ${error.message}`);
+        }
+        return errorResponse(error instanceof Error ? error.message : String(error));
+    }
+});
+// ---------------------------------------------------------------------------
 // Exports (for HTTP server and client integration)
 // ---------------------------------------------------------------------------
 export { server, textResponse, jsonResponse, errorResponse };