vaspera 2.9.0 → 2.10.0

package/dist/scanners/fp-filter.js

@@ -0,0 +1,397 @@
+/**
+ * False Positive Filter
+ *
+ * Context-aware filtering to reduce false positives from scanners.
+ * Analyzes code context, semantic patterns, and historical data.
+ *
+ * @module scanners/fp-filter
+ */
+import { readFile } from "fs/promises";
+import { join, basename } from "path";
+import { logger } from "../logger.js";
+/**
+ * Patterns that indicate test files
+ */
+const TEST_FILE_PATTERNS = [
+    /\.test\.[jt]sx?$/,
+    /\.spec\.[jt]sx?$/,
+    /__tests__\//,
+    /__mocks__\//,
+    /(?:^|\/)test\//,
+    /(?:^|\/)tests\//,
+    /\.stories\.[jt]sx?$/,
+    /\.mock\.[jt]sx?$/,
+    /(?:^|\/)cypress\//,
+    /(?:^|\/)e2e\//,
+    /(?:^|\/)playwright\//,
+];
+/**
+ * Patterns that indicate generated code
+ */
+const GENERATED_CODE_PATTERNS = [
+    /\.generated\.[jt]sx?$/,
+    /\.gen\.[jt]sx?$/,
+    /generated\//,
+    /__generated__\//,
+    /\.d\.ts$/,
+    /swagger-client/,
+    /openapi-client/,
+    /graphql\.ts$/,
+    /prisma\/client/,
+];
+/**
+ * Patterns that indicate vendored/third-party code
+ */
+const VENDOR_PATTERNS = [
+    /node_modules\//,
+    /vendor\//,
+    /third[_-]?party\//,
+    /external\//,
+    /lib\/vendor/,
+    /\.min\.js$/,
+    /bundle\.js$/,
+];
+/**
+ * Patterns that indicate fixture/example files
+ */
+const FIXTURE_PATTERNS = [
+    /fixtures?\//,
+    /samples?\//,
+    /examples?\//,
+    /demo\//,
+    /seed\//,
+    /seeds\//,
+    /mock[_-]?data/,
+];
+/**
+ * Rules that are commonly false positives in certain contexts
+ */
+const CONTEXT_SENSITIVE_RULES = {
+    "hardcoded-secret": {
+        filterInTests: true,
+        filterInGenerated: false,
+        filterIfConstant: false,
+        filterIfEnvVar: true,
+    },
+    "sql-injection": {
+        filterInTests: true,
+        filterInGenerated: true,
+        filterIfConstant: true,
+        filterIfEnvVar: false,
+    },
+    "xss": {
+        filterInTests: true,
+        filterInGenerated: true,
+        filterIfConstant: true,
+        filterIfEnvVar: false,
+    },
+    "command-injection": {
+        filterInTests: true,
+        filterInGenerated: true,
+        filterIfConstant: true,
+        filterIfEnvVar: false,
+    },
+    "path-traversal": {
+        filterInTests: true,
+        filterInGenerated: true,
+        filterIfConstant: true,
+        filterIfEnvVar: false,
+    },
+};
+/**
+ * Analyze file path to determine code context
+ */
+export function analyzeFilePath(filePath) {
+    const normalizedPath = filePath.replace(/\\/g, "/");
+    const fileName = basename(filePath);
+    return {
+        isTestFile: TEST_FILE_PATTERNS.some((p) => p.test(normalizedPath)),
+        isGeneratedCode: GENERATED_CODE_PATTERNS.some((p) => p.test(normalizedPath)),
+        isThirdPartyVendored: VENDOR_PATTERNS.some((p) => p.test(normalizedPath)),
+        isMockFile: /\.mock\.[jt]sx?$/.test(fileName) || /mocks?\//i.test(normalizedPath),
+        isFixtureFile: FIXTURE_PATTERNS.some((p) => p.test(normalizedPath)),
+        isExampleFile: /examples?\//i.test(normalizedPath) || /demo\//i.test(normalizedPath),
+    };
+}
+/**
+ * Analyze code content for semantic context
+ */
+export async function analyzeCodeContext(projectPath, finding) {
+    const defaultContext = {
+        hasValidation: false,
+        hasEncoding: false,
+        isSanitized: false,
+        isConstant: false,
+        isEnvironmentVariable: false,
+    };
+    if (!finding.file) {
+        return defaultContext;
+    }
+    try {
+        const filePath = join(projectPath, finding.file);
+        const content = await readFile(filePath, "utf-8");
+        const lines = content.split("\n");
+        // Get surrounding context (5 lines before and after)
+        const startLine = Math.max(0, (finding.line || 1) - 6);
+        const endLine = Math.min(lines.length, (finding.line || 1) + 5);
+        const context = lines.slice(startLine, endLine).join("\n");
+        // Check for validation patterns
+        const validationPatterns = [
+            /validate/i,
+            /sanitize/i,
+            /escape/i,
+            /encode/i,
+            /\.parse\(/,
+            /z\.\w+\(/, // Zod validation
+            /yup\.\w+/, // Yup validation
+            /joi\.\w+/, // Joi validation
+            /validator\./,
+        ];
+        const hasValidation = validationPatterns.some((p) => p.test(context));
+        // Check for encoding patterns
+        const encodingPatterns = [
+            /encodeURIComponent/,
+            /encodeURI/,
+            /htmlEncode/,
+            /escapeHtml/,
+            /DOMPurify/,
+            /sanitizeHtml/,
+        ];
+        const hasEncoding = encodingPatterns.some((p) => p.test(context));
+        // Check for sanitization
+        const sanitizationPatterns = [
+            /sanitize/i,
+            /clean/i,
+            /purify/i,
+            /strip/i,
+            /filter\s*\(/,
+        ];
+        const isSanitized = sanitizationPatterns.some((p) => p.test(context));
+        // Check if value is constant
+        const line = lines[(finding.line || 1) - 1] || "";
+        const isConstant = /const\s+\w+\s*=\s*["'`]/.test(line) ||
+            /readonly\s/.test(line) ||
+            /as\s+const/.test(line);
+        // Check if value comes from environment variable
+        const isEnvironmentVariable = /process\.env\./i.test(context) ||
+            /import\.meta\.env/i.test(context) ||
+            /\$\{.*ENV.*\}/i.test(context);
+        return {
+            hasValidation,
+            hasEncoding,
+            isSanitized,
+            isConstant,
+            isEnvironmentVariable,
+        };
+    }
+    catch (error) {
+        logger.debug("fp_filter.analyze_failed", {
+            file: finding.file,
+            error: String(error),
+        });
+        return defaultContext;
+    }
+}
+/**
+ * Determine if a finding should be filtered as a false positive
+ */
+export function shouldFilter(finding, context) {
+    const { codeContext, semanticContext, historicalContext } = context;
+    // Always filter vendored/third-party code
+    if (codeContext.isThirdPartyVendored) {
+        return {
+            filter: true,
+            reason: "Third-party/vendored code",
+            confidence: 95,
+            suggestion: "suppress",
+        };
+    }
+    // Get rule-specific filtering rules
+    const category = finding.category || extractCategory(finding.ruleId);
+    const ruleConfig = CONTEXT_SENSITIVE_RULES[category];
+    if (ruleConfig) {
+        // Filter in test files for certain rules
+        if (ruleConfig.filterInTests && codeContext.isTestFile) {
+            return {
+                filter: true,
+                reason: "Test file - rule typically FP in tests",
+                confidence: 85,
+                suggestion: "suppress",
+            };
+        }
+        // Filter in generated code
+        if (ruleConfig.filterInGenerated && codeContext.isGeneratedCode) {
+            return {
+                filter: true,
+                reason: "Generated code",
+                confidence: 90,
+                suggestion: "suppress",
+            };
+        }
+        // Filter if value is constant
+        if (ruleConfig.filterIfConstant && semanticContext.isConstant) {
+            return {
+                filter: true,
+                reason: "Constant value - not user-controlled",
+                confidence: 75,
+                suggestion: "review",
+            };
+        }
+        // Filter if environment variable
+        if (ruleConfig.filterIfEnvVar && semanticContext.isEnvironmentVariable) {
+            return {
+                filter: true,
+                reason: "Environment variable reference",
+                confidence: 80,
+                suggestion: "review",
+            };
+        }
+    }
+    // Filter fixture/example files with lower confidence
+    if (codeContext.isFixtureFile || codeContext.isExampleFile) {
+        return {
+            filter: true,
+            reason: "Fixture/example file",
+            confidence: 70,
+            suggestion: "review",
+        };
+    }
+    // Check if sanitization is present
+    if (semanticContext.isSanitized || semanticContext.hasValidation || semanticContext.hasEncoding) {
+        return {
+            filter: false,
+            reason: "Sanitization detected but manual review recommended",
+            confidence: 60,
+            suggestion: "review",
+        };
+    }
+    // Check historical suppressions
+    if (historicalContext.suppressions.includes(finding.ruleId)) {
+        return {
+            filter: true,
+            reason: "Previously suppressed rule",
+            confidence: 70,
+            suggestion: "review",
+        };
+    }
+    // Check historical accuracy
+    if (historicalContext.ruleAccuracy < 0.3) {
+        return {
+            filter: false,
+            reason: `Low historical accuracy (${Math.round(historicalContext.ruleAccuracy * 100)}%)`,
+            confidence: 50,
+            suggestion: "review",
+        };
+    }
+    // No filtering
+    return {
+        filter: false,
+        confidence: 100,
+        suggestion: "confirm",
+    };
+}
+/**
+ * Extract category from rule ID
+ */
+function extractCategory(ruleId) {
+    // Common patterns: "scanner:category.rule" or "category-rule"
+    const colonMatch = ruleId.match(/^[^:]+:([^.]+)/);
+    if (colonMatch) {
+        return colonMatch[1];
+    }
+    const dashMatch = ruleId.match(/^([a-z-]+)-\d+$/i);
+    if (dashMatch) {
+        return dashMatch[1];
+    }
+    return ruleId;
+}
+/**
+ * Filter findings and return filtered results with reasons
+ */
+export async function filterFindings(projectPath, findings, options) {
+    const minConfidence = options?.minConfidence ?? 70;
+    const historicalData = options?.historicalData ?? new Map();
+    const filtered = [];
+    const removed = [];
+    const byReason = {};
+    for (const finding of findings) {
+        // Build context
+        const codeContext = analyzeFilePath(finding.file);
+        const semanticContext = await analyzeCodeContext(projectPath, finding);
+        const ruleHistory = historicalData.get(finding.ruleId);
+        const historicalContext = {
+            previousFPs: [],
+            ruleAccuracy: ruleHistory?.fpRate ?? 1.0,
+            suppressions: ruleHistory?.suppressions ?? [],
+        };
+        const context = {
+            codeContext,
+            semanticContext,
+            historicalContext,
+        };
+        const result = shouldFilter(finding, context);
+        if (result.filter && result.confidence >= minConfidence) {
+            removed.push({
+                finding,
+                reason: result.reason || "Filtered",
+                confidence: result.confidence,
+            });
+            byReason[result.reason || "Unknown"] = (byReason[result.reason || "Unknown"] || 0) + 1;
+        }
+        else {
+            filtered.push(finding);
+        }
+    }
+    logger.info("fp_filter.complete", {
+        total: findings.length,
+        kept: filtered.length,
+        filtered: removed.length,
+    });
+    return {
+        filtered,
+        removed,
+        stats: {
+            total: findings.length,
+            kept: filtered.length,
+            filtered: removed.length,
+            byReason,
+        },
+    };
+}
+/**
+ * Get suggested suppressions for a finding
+ */
+export function getSuppressSuggestion(finding, context) {
+    const scanner = finding.scanner;
+    const ruleId = finding.ruleId;
+    // Generate scanner-specific suppression comments
+    let inlineComment;
+    let fileComment;
+    switch (scanner) {
+        case "semgrep":
+            inlineComment = `// nosemgrep: ${ruleId}`;
+            fileComment = `// nosemgrep`;
+            break;
+        case "eslint":
+            inlineComment = `// eslint-disable-next-line ${ruleId}`;
+            fileComment = `/* eslint-disable ${ruleId} */`;
+            break;
+        case "gitleaks":
+            inlineComment = `// gitleaks:allow`;
+            fileComment = `# gitleaks:allow`;
+            break;
+        case "bandit":
+            inlineComment = `# nosec ${ruleId}`;
+            fileComment = `# nosec`;
+            break;
+        default:
+            inlineComment = `// @suppress ${ruleId}`;
+            fileComment = `// @suppress-file ${ruleId}`;
+    }
+    return {
+        suppressionComment: `Suppressed: ${finding.message} (${context.codeContext.isTestFile ? "test file" : "reviewed"})`,
+        inlineSuppress: inlineComment,
+        fileSuppress: fileComment,
+    };
+}
+//# sourceMappingURL=fp-filter.js.map

package/dist/scanners/fp-filter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fp-filter.js","sourceRoot":"","sources":["../../src/scanners/fp-filter.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAW,MAAM,MAAM,CAAC;AAE/C,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAkDtC;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACzB,kBAAkB;IAClB,kBAAkB;IAClB,aAAa;IACb,aAAa;IACb,gBAAgB;IAChB,iBAAiB;IACjB,qBAAqB;IACrB,kBAAkB;IAClB,mBAAmB;IACnB,eAAe;IACf,sBAAsB;CACvB,CAAC;AAEF;;GAEG;AACH,MAAM,uBAAuB,GAAG;IAC9B,uBAAuB;IACvB,iBAAiB;IACjB,aAAa;IACb,iBAAiB;IACjB,UAAU;IACV,gBAAgB;IAChB,gBAAgB;IAChB,cAAc;IACd,gBAAgB;CACjB,CAAC;AAEF;;GAEG;AACH,MAAM,eAAe,GAAG;IACtB,gBAAgB;IAChB,UAAU;IACV,mBAAmB;IACnB,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,aAAa;CACd,CAAC;AAEF;;GAEG;AACH,MAAM,gBAAgB,GAAG;IACvB,aAAa;IACb,YAAY;IACZ,aAAa;IACb,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,eAAe;CAChB,CAAC;AAEF;;GAEG;AACH,MAAM,uBAAuB,GAKxB;IACH,kBAAkB,EAAE;QAClB,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,KAAK;QACxB,gBAAgB,EAAE,KAAK;QACvB,cAAc,EAAE,IAAI;KACrB;IACD,eAAe,EAAE;QACf,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,IAAI;QACvB,gBAAgB,EAAE,IAAI;QACtB,cAAc,EAAE,KAAK;KACtB;IACD,KAAK,EAAE;QACL,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,IAAI;QACvB,gBAAgB,EAAE,IAAI;QACtB,cAAc,EAAE,KAAK;KACtB;IACD,mBAAmB,EAAE;QACnB,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,IAAI;QACvB,gBAAgB,EAAE,IAAI;QACtB,cAAc,EAAE,KAAK;KACtB;IACD,gBAAgB,EAAE;QAChB,aAAa,EAAE,IAAI;QACnB,iBAAiB,EAAE,IAAI;QACvB,gBAAgB,EAAE,IAAI;QACtB,cAAc,EAAE,KAAK;KACtB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC9C,MAAM,cAAc,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAEpC,OAAO;QACL,UAAU,EAAE,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAClE,eAAe,EAAE,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC5E,oBAAoB,EAAE,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACzE,UAAU,EAAE,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,cAAc,CAAC;QACjF,aAAa,EAAE,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACnE,aAAa,EAAE,cAAc,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC;KACrF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,WAAmB,EACnB,OAA6B;IAE7B,MAAM,cAAc,GAAuC;QACzD,aAAa,EAAE,KAAK;QACpB,WAAW,EAAE,KAAK;QAClB,WAAW,EAAE,KAAK;QAClB,UAAU,EAAE,KAAK;QACjB,qBAAqB,EAAE,KAAK;KAC7B,CAAC;IAEF,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,cAAc,CAAC;IACxB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QACjD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAElC,qDAAqD;QACrD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QACvD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAChE,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE3D,gCAAgC;QAChC,MAAM,kBAAkB,GAAG;YACzB,WAAW;YACX,WAAW;YACX,SAAS;YACT,SAAS;YACT,WAAW;YACX,UAAU,EAAG,iBAAiB;YAC9B,UAAU,EAAG,iBAAiB;YAC9B,UAAU,EAAG,iBAAiB;YAC9B,aAAa;SACd,CAAC;QACF,MAAM,aAAa,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAEtE,8BAA8B;QAC9B,MAAM,gBAAgB,GAAG;YACvB,oBAAoB;YACpB,WAAW;YACX,YAAY;YACZ,YAAY;YACZ,WAAW;YACX,cAAc;SACf,CAAC;QACF,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAElE,yBAAyB;QACzB,MAAM,oBAAoB,GAAG;YAC3B,WAAW;YACX,QAAQ;YACR,SAAS;YACT,QAAQ;YACR,aAAa;SACd,CAAC;QACF,MAAM,WAAW,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QAEtE,6BAA6B;QAC7B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,UAAU,GAAG,yBAAyB,CAAC,IAAI,CAAC,IAAI,CAAC;YACpC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC;YACvB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE3C,iDAAiD;QACjD,MAAM,qBAAqB,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC;YAC9B,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC;YAClC,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE9D,OAAO;YACL,aAAa;YACb,WAAW;YACX,WAAW;YACX,UAAU;YACV,qBAAqB;SACtB,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE;YACvC,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;SACrB,CAAC,CAAC;QACH,OAAO,cAAc,CAAC;IACxB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAC1B,OAA6B,EAC7B,OAAwB;IAExB,MAAM,EAAE,WAAW,EAAE,eAAe,EAAE,iBAAiB,EAAE,GAAG,OAAO,CAAC;IAEpE,0CAA0C;IAC1C,IAAI,WAAW,CAAC,oBAAoB,EAAE,CAAC;QACrC,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,2BAA2B;YACnC,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,UAAU;SACvB,CAAC;IACJ,CAAC;IAED,oCAAoC;IACpC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACrE,MAAM,UAAU,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IAErD,IAAI,UAAU,EAAE,CAAC;QACf,yCAAyC;QACzC,IAAI,UAAU,CAAC,aAAa,IAAI,WAAW,CAAC,UAAU,EAAE,CAAC;YACvD,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,MAAM,EAAE,wCAAwC;gBAChD,UAAU,EAAE,EAAE;gBACd,UAAU,EAAE,UAAU;aACvB,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,IAAI,UAAU,CAAC,iBAAiB,IAAI,WAAW,CAAC,eAAe,EAAE,CAAC;YAChE,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,MAAM,EAAE,gBAAgB;gBACxB,UAAU,EAAE,EAAE;gBACd,UAAU,EAAE,UAAU;aACvB,CAAC;QACJ,CAAC;QAED,8BAA8B;QAC9B,IAAI,UAAU,CAAC,gBAAgB,IAAI,eAAe,CAAC,UAAU,EAAE,CAAC;YAC9D,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,MAAM,EAAE,sCAAsC;gBAC9C,UAAU,EAAE,EAAE;gBACd,UAAU,EAAE,QAAQ;aACrB,CAAC;QACJ,CAAC;QAED,iCAAiC;QACjC,IAAI,UAAU,CAAC,cAAc,IAAI,eAAe,CAAC,qBAAqB,EAAE,CAAC;YACvE,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,MAAM,EAAE,gCAAgC;gBACxC,UAAU,EAAE,EAAE;gBACd,UAAU,EAAE,QAAQ;aACrB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,IAAI,WAAW,CAAC,aAAa,IAAI,WAAW,CAAC,aAAa,EAAE,CAAC;QAC3D,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,sBAAsB;YAC9B,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,QAAQ;SACrB,CAAC;IACJ,CAAC;IAED,mCAAmC;IACnC,IAAI,eAAe,CAAC,WAAW,IAAI,eAAe,CAAC,aAAa,IAAI,eAAe,CAAC,WAAW,EAAE,CAAC;QAChG,OAAO;YACL,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,qDAAqD;YAC7D,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,QAAQ;SACrB,CAAC;IACJ,CAAC;IAED,gCAAgC;IAChC,IAAI,iBAAiB,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,MAAM,EAAE,4BAA4B;YACpC,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,QAAQ;SACrB,CAAC;IACJ,CAAC;IAED,4BAA4B;IAC5B,IAAI,iBAAiB,CAAC,YAAY,GAAG,GAAG,EAAE,CAAC;QACzC,OAAO;YACL,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,4BAA4B,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,YAAY,GAAG,GAAG,CAAC,IAAI;YACxF,UAAU,EAAE,EAAE;YACd,UAAU,EAAE,QAAQ;SACrB,CAAC;IACJ,CAAC;IAED,eAAe;IACf,OAAO;QACL,MAAM,EAAE,KAAK;QACb,UAAU,EAAE,GAAG;QACf,UAAU,EAAE,SAAS;KACtB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAc;IACrC,8DAA8D;IAC9D,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAClD,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,UAAU,CAAC,CAAC,CAAC,CAAC;IACvB,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACnD,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,WAAmB,EACnB,QAAgC,EAChC,OAGC;IAWD,MAAM,aAAa,GAAG,OAAO,EAAE,aAAa,IAAI,EAAE,CAAC;IACnD,MAAM,cAAc,GAAG,OAAO,EAAE,cAAc,IAAI,IAAI,GAAG,EAAE,CAAC;IAE5D,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,MAAM,OAAO,GAAiF,EAAE,CAAC;IACjG,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAE5C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,gBAAgB;QAChB,MAAM,WAAW,GAAG,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAClD,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QAEvE,MAAM,WAAW,GAAG,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACvD,MAAM,iBAAiB,GAAyC;YAC9D,WAAW,EAAE,EAAE;YACf,YAAY,EAAE,WAAW,EAAE,MAAM,IAAI,GAAG;YACxC,YAAY,EAAE,WAAW,EAAE,YAAY,IAAI,EAAE;SAC9C,CAAC;QAEF,MAAM,OAAO,GAAoB;YAC/B,WAAW;YACX,eAAe;YACf,iBAAiB;SAClB,CAAC;QAEF,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAE9C,IAAI,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,UAAU,IAAI,aAAa,EAAE,CAAC;YACxD,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO;gBACP,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,UAAU;gBACnC,UAAU,EAAE,MAAM,CAAC,UAAU;aAC9B,CAAC,CAAC;YACH,QAAQ,CAAC,MAAM,CAAC,MAAM,IAAI,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACzF,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,oBAAoB,EAAE;QAChC,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,IAAI,EAAE,QAAQ,CAAC,MAAM;QACrB,QAAQ,EAAE,OAAO,CAAC,MAAM;KACzB,CAAC,CAAC;IAEH,OAAO;QACL,QAAQ;QACR,OAAO;QACP,KAAK,EAAE;YACL,KAAK,EAAE,QAAQ,CAAC,MAAM;YACtB,IAAI,EAAE,QAAQ,CAAC,MAAM;YACrB,QAAQ,EAAE,OAAO,CAAC,MAAM;YACxB,QAAQ;SACT;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,OAA6B,EAC7B,OAAwB;IAMxB,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IAChC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAE9B,iDAAiD;IACjD,IAAI,aAAqB,CAAC;IAC1B,IAAI,WAAmB,CAAC;IAExB,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,SAAS;YACZ,aAAa,GAAG,iBAAiB,MAAM,EAAE,CAAC;YAC1C,WAAW,GAAG,cAAc,CAAC;YAC7B,MAAM;QACR,KAAK,QAAQ;YACX,aAAa,GAAG,+BAA+B,MAAM,EAAE,CAAC;YACxD,WAAW,GAAG,qBAAqB,MAAM,KAAK,CAAC;YAC/C,MAAM;QACR,KAAK,UAAU;YACb,aAAa,GAAG,mBAAmB,CAAC;YACpC,WAAW,GAAG,kBAAkB,CAAC;YACjC,MAAM;QACR,KAAK,QAAQ;YACX,aAAa,GAAG,WAAW,MAAM,EAAE,CAAC;YACpC,WAAW,GAAG,SAAS,CAAC;YACxB,MAAM;QACR;YACE,aAAa,GAAG,gBAAgB,MAAM,EAAE,CAAC;YACzC,WAAW,GAAG,qBAAqB,MAAM,EAAE,CAAC;IAChD,CAAC;IAED,OAAO;QACL,kBAAkB,EAAE,eAAe,OAAO,CAAC,OAAO,KAAK,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,UAAU,GAAG;QACnH,cAAc,EAAE,aAAa;QAC7B,YAAY,EAAE,WAAW;KAC1B,CAAC;AACJ,CAAC"}

package/dist/scanners/fp-tracker.d.ts

@@ -0,0 +1,125 @@
+/**
+ * False Positive Tracker
+ *
+ * Tracks false positive rates per scanner/rule and adjusts
+ * finding confidence accordingly.
+ *
+ * @module scanners/fp-tracker
+ */
+import type { ScannerType, DeterministicFinding } from "./types.js";
+import type { Severity } from "../certification/types.js";
+/**
+ * Metrics for a specific rule
+ */
+export interface RuleMetrics {
+    /** Scanner that generated this rule */
+    scanner: ScannerType;
+    /** Rule ID */
+    ruleId: string;
+    /** Total findings reported by this rule */
+    totalReported: number;
+    /** Number confirmed as true positives */
+    confirmedTP: number;
+    /** Number confirmed as false positives */
+    confirmedFP: number;
+    /** Number still pending review */
+    pendingReview: number;
+    /** Calculated FP rate (0-1) */
+    fpRate: number;
+    /** Calculated TP rate (0-1) */
+    tpRate: number;
+    /** Confidence adjustment factor based on history */
+    adjustmentFactor: number;
+    /** Last updated timestamp */
+    lastUpdated: string;
+    /** Severity distribution of findings */
+    severityDistribution: Partial<Record<Severity, number>>;
+}
+/**
+ * Aggregated scanner metrics
+ */
+export interface ScannerMetrics {
+    scanner: ScannerType;
+    totalRules: number;
+    totalFindings: number;
+    overallFPRate: number;
+    overallTPRate: number;
+    ruleMetrics: Map<string, RuleMetrics>;
+}
+/**
+ * FP tracking data store
+ */
+export interface FPTrackingData {
+    version: string;
+    lastUpdated: string;
+    projectPath: string;
+    scanners: Record<string, ScannerMetrics>;
+    globalStats: {
+        totalFindings: number;
+        totalTP: number;
+        totalFP: number;
+        totalPending: number;
+        overallAccuracy: number;
+    };
+}
+/**
+ * Load FP tracking data from disk
+ */
+export declare function loadTrackingData(projectPath: string): Promise<FPTrackingData>;
+/**
+ * Save FP tracking data to disk
+ */
+export declare function saveTrackingData(projectPath: string, data: FPTrackingData): Promise<void>;
+/**
+ * Record a new finding for tracking
+ */
+export declare function recordFinding(projectPath: string, finding: DeterministicFinding): Promise<void>;
+/**
+ * Mark a finding as true positive
+ */
+export declare function markTruePositive(projectPath: string, scanner: ScannerType, ruleId: string): Promise<RuleMetrics | undefined>;
+/**
+ * Mark a finding as false positive
+ */
+export declare function markFalsePositive(projectPath: string, scanner: ScannerType, ruleId: string, reason?: string): Promise<RuleMetrics | undefined>;
+/**
+ * Adjust finding confidence based on historical FP rates
+ */
+export declare function adjustFindingConfidence(finding: DeterministicFinding, metrics: RuleMetrics | undefined): number;
+/**
+ * Get metrics for a specific rule
+ */
+export declare function getRuleMetrics(projectPath: string, scanner: ScannerType, ruleId: string): Promise<RuleMetrics | undefined>;
+/**
+ * Get all scanner metrics
+ */
+export declare function getAllMetrics(projectPath: string): Promise<FPTrackingData>;
+/**
+ * Get rules with high FP rates
+ */
+export declare function getHighFPRules(projectPath: string, threshold?: number, minSampleSize?: number): Promise<RuleMetrics[]>;
+/**
+ * Generate FP tracking report
+ */
+export declare function generateFPReport(projectPath: string, options?: {
+    minSampleSize?: number;
+    includeAllRules?: boolean;
+}): Promise<{
+    summary: {
+        totalScanners: number;
+        totalRules: number;
+        totalFindings: number;
+        overallAccuracy: number;
+        highFPRuleCount: number;
+    };
+    scannerBreakdown: Array<{
+        scanner: ScannerType;
+        totalFindings: number;
+        fpRate: number;
+        tpRate: number;
+        ruleCount: number;
+    }>;
+    highFPRules: RuleMetrics[];
+    recommendations: string[];
+}>;
+//# sourceMappingURL=fp-tracker.d.ts.map

package/dist/scanners/fp-tracker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fp-tracker.d.ts","sourceRoot":"","sources":["../../src/scanners/fp-tracker.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AACpE,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAG1D;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,uCAAuC;IACvC,OAAO,EAAE,WAAW,CAAC;IAErB,cAAc;IACd,MAAM,EAAE,MAAM,CAAC;IAEf,2CAA2C;IAC3C,aAAa,EAAE,MAAM,CAAC;IAEtB,yCAAyC;IACzC,WAAW,EAAE,MAAM,CAAC;IAEpB,0CAA0C;IAC1C,WAAW,EAAE,MAAM,CAAC;IAEpB,kCAAkC;IAClC,aAAa,EAAE,MAAM,CAAC;IAEtB,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IAEf,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IAEf,oDAAoD;IACpD,gBAAgB,EAAE,MAAM,CAAC;IAEzB,6BAA6B;IAC7B,WAAW,EAAE,MAAM,CAAC;IAEpB,wCAAwC;IACxC,oBAAoB,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;CACzD;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,WAAW,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;CACvC;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IACzC,WAAW,EAAE;QACX,aAAa,EAAE,MAAM,CAAC;QACtB,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,CAAC;QAChB,YAAY,EAAE,MAAM,CAAC;QACrB,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;CACH;AA4BD;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAkBnF;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAwB/F;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,IAAI,CAAC,CAuDf;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAuClC;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,MAAM,EACd,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CA8ClC;AA+CD;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,WAAW,GAAG,SAAS,GAC/B,MAAM,CAYR;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC,CAGlC;AAED;;GAEG;AACH,wBAAsB,aAAa,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAEhF;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,WAAW,EAAE,MAAM,EACnB,SAAS,GAAE,MAAY,EACvB,aAAa,GAAE,MAAW,GACzB,OAAO,CAAC,WAAW,EAAE,CAAC,CAexB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;IACR,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B,GACA,OAAO,CAAC;IACT,OAAO,EAAE;QACP,aAAa,EAAE,MAAM,CAAC;QACtB,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,EAAE,MAAM,CAAC;QACtB,eAAe,EAAE,MAAM,CAAC;QACxB,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IACF,gBAAgB,EAAE,KAAK,CAAC;QACtB,OAAO,EAAE,WAAW,CAAC;QACrB,aAAa,EAAE,MAAM,CAAC;QACtB,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,MAAM,CAAC;QACf,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC,CAAC;IACH,WAAW,EAAE,WAAW,EAAE,CAAC;IAC3B,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B,CAAC,CAuDD"}