npm - xploitscan-shared-rules - Versions diffs - 1.6.0 → 1.6.2 - Mend

xploitscan-shared-rules 1.6.0 → 1.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs CHANGED Viewed

@@ -4604,7 +4604,12 @@ var complianceMap = {
 var consoleLogProduction = {
   id: "VC097",
   title: "Console.log Left in Production Code",
-  severity: "low",
+  // Demoted from "low" to "info" 2026-05-11. This is a code-hygiene
+  // signal (leaked debug logs, occasionally PII), not a security
+  // vulnerability in the OWASP sense. Was inflating severity counts
+  // on real codebases (11+ hits on vibecheck's own scan), drowning
+  // the actual security signal.
+  severity: "info",
   category: "Performance",
   description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
   check(content, filePath) {
@@ -4627,7 +4632,11 @@ var consoleLogProduction = {
 var syncFileOps = {
   id: "VC098",
   title: "Synchronous File Operations",
-  severity: "medium",
+  // Demoted from "medium" to "info" 2026-05-11. Already a Performance-
+  // category rule (see below) — it's a perf concern, not a security
+  // one, so it shouldn't have been at "medium" alongside actual
+  // security findings. The severity scale should reflect risk class.
+  severity: "info",
   category: "Performance",
   description: "Synchronous file operations (readFileSync, writeFileSync) block the event loop, causing all other requests to wait.",
   check(content, filePath) {
@@ -4664,7 +4673,9 @@ var eventListenerLeak = {
 var nPlusOneQuery = {
   id: "VC100",
   title: "N+1 Query Pattern Detected",
-  severity: "medium",
+  // Demoted from "medium" to "info" 2026-05-11. Performance pattern,
+  // not a security issue — same rationale as VC098.
+  severity: "info",
   category: "Performance",
   description: "Database queries inside loops cause N+1 performance problems \u2014 one query per iteration instead of a single batch query.",
   check(content, filePath) {
@@ -4749,7 +4760,11 @@ var todoLeftInCode = {
 var emptyCatchBlock = {
   id: "VC104",
   title: "Empty Catch Block",
-  severity: "medium",
+  // Demoted from "medium" to "info" 2026-05-11. Already a Code-Quality
+  // category — empty catch blocks are a maintainability concern, not a
+  // security vulnerability. Worth flagging, not worth counting as a
+  // security "medium" alongside actual SQL-injection / XSS findings.
+  severity: "info",
   category: "Code Quality",
   description: "Empty catch blocks silently swallow errors, making bugs impossible to diagnose. At minimum, log the error.",
   check(content, filePath) {
@@ -4783,7 +4798,11 @@ var callbackHell = {
 var magicNumbers = {
   id: "VC106",
   title: "Magic Numbers in Code",
-  severity: "low",
+  // Demoted from "low" to "info" 2026-05-11. Already a Code-Quality
+  // category — magic numbers are a style/readability concern, not a
+  // security vulnerability. Was the single noisiest rule on the
+  // vibecheck self-scan (44 hits) drowning real security signal.
+  severity: "info",
   category: "Code Quality",
   description: "Unnamed numeric constants in conditions or calculations make code hard to understand. Extract them into named constants.",
   check(content, filePath) {
@@ -8046,7 +8065,21 @@ For each finding, respond ONLY with a JSON array. No other text.
 Each element: {"index": <number>, "verdict": "real" or "fp", "reason": "<1 sentence>"}`;
 var MAX_FINDINGS_PER_BATCH = 15;
 var MAX_CONTEXT_LINES = 10;
-var MAX_TOTAL_FINDINGS = 50;
+var DEFAULT_MAX_TOTAL_FINDINGS = 200;
+var MAX_TOTAL_FINDINGS = (() => {
+  const raw = process.env.XPLOITSCAN_AI_FILTER_MAX;
+  if (!raw) return DEFAULT_MAX_TOTAL_FINDINGS;
+  const n = parseInt(raw, 10);
+  if (!Number.isFinite(n) || n < 1) return DEFAULT_MAX_TOTAL_FINDINGS;
+  return Math.min(n, 1e3);
+})();
+var SEVERITY_PRIORITY = {
+  critical: 0,
+  high: 1,
+  medium: 2,
+  low: 3,
+  info: 4
+};
 function getExpandedContext(content, line, contextLines = MAX_CONTEXT_LINES) {
   const lines = content.split("\n");
   const start = Math.max(0, line - 1 - contextLines);
@@ -8094,8 +8127,13 @@ async function filterFalsePositives(findings, fileContents) {
   const empty = { findings, filteredFindings: [], aiReviewed: false, removedCount: 0, totalBefore: findings.length };
   if (!process.env.ANTHROPIC_API_KEY) return empty;
   if (findings.length === 0) return empty;
-  const toReview = findings.slice(0, MAX_TOTAL_FINDINGS);
-  const overflow = findings.slice(MAX_TOTAL_FINDINGS);
+  const prioritized = [...findings].sort((a, b) => {
+    const pa = SEVERITY_PRIORITY[(a.severity || "").toLowerCase()] ?? 5;
+    const pb = SEVERITY_PRIORITY[(b.severity || "").toLowerCase()] ?? 5;
+    return pa - pb;
+  });
+  const toReview = prioritized.slice(0, MAX_TOTAL_FINDINGS);
+  const overflow = prioritized.slice(MAX_TOTAL_FINDINGS);
   const totalBefore = findings.length;
   const byFile = /* @__PURE__ */ new Map();
   for (const f of toReview) {