npm - xploitscan - Versions diffs - 1.0.11 → 1.0.13 - Mend

xploitscan 1.0.11 → 1.0.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -1976,17 +1976,19 @@ function parseReviewResponse(text) {
     const parsed = JSON.parse(cleaned);
     if (!Array.isArray(parsed)) return [];
     return parsed.filter(
-      (r) => typeof r === "object" && r !== null && "index" in r && "verdict" in r && r.verdict === "real" || r.verdict === "fp"
+      (r) => typeof r === "object" && r !== null && "index" in r && "verdict" in r && (r.verdict === "real" || r.verdict === "fp")
     );
   } catch {
     return [];
   }
 }
 async function filterFalsePositives(findings, fileContents) {
-  if (!process.env.ANTHROPIC_API_KEY) return findings;
-  if (findings.length === 0) return findings;
+  const empty = { findings, filteredFindings: [], aiReviewed: false, removedCount: 0, totalBefore: findings.length };
+  if (!process.env.ANTHROPIC_API_KEY) return empty;
+  if (findings.length === 0) return empty;
   const toReview = findings.slice(0, MAX_TOTAL_FINDINGS);
   const overflow = findings.slice(MAX_TOTAL_FINDINGS);
+  const totalBefore = findings.length;
   const byFile = /* @__PURE__ */ new Map();
   for (const f of toReview) {
     const group = byFile.get(f.file) || [];
@@ -1997,9 +1999,9 @@ async function filterFalsePositives(findings, fileContents) {
   try {
     client = new Anthropic2();
   } catch {
-    return findings;
+    return empty;
   }
-  const fpIndices = /* @__PURE__ */ new Set();
+  const fpMap = /* @__PURE__ */ new Map();
   for (const [file, fileFindings] of byFile) {
     const content = fileContents.get(file);
     if (!content) continue;
@@ -2018,7 +2020,9 @@ async function filterFalsePositives(findings, fileContents) {
         for (const r of results) {
           if (r.verdict === "fp" && r.index >= 0 && r.index < batch.length) {
             const globalIndex = toReview.indexOf(batch[r.index]);
-            if (globalIndex !== -1) fpIndices.add(globalIndex);
+            if (globalIndex !== -1) {
+              fpMap.set(globalIndex, r.reason);
+            }
           }
         }
       } catch {
@@ -2026,8 +2030,18 @@ async function filterFalsePositives(findings, fileContents) {
       }
     }
   }
-  const filtered = toReview.filter((_, i) => !fpIndices.has(i));
-  return [...filtered, ...overflow];
+  const filtered = toReview.filter((_, i) => !fpMap.has(i));
+  const filteredFindings = [];
+  for (const [idx, reason] of fpMap) {
+    filteredFindings.push({ finding: toReview[idx], reason });
+  }
+  return {
+    findings: [...filtered, ...overflow],
+    filteredFindings,
+    aiReviewed: true,
+    removedCount: fpMap.size,
+    totalBefore
+  };
 }
 // src/scanners/ast-analyzer.ts
@@ -3626,6 +3640,10 @@ async function scanCommand(directory, options) {
       chalk2.gray("Tip: Set ANTHROPIC_API_KEY for AI-powered contextual analysis")
     );
   }
+  let aiReviewed = false;
+  let aiRemovedCount = 0;
+  let aiTotalBefore = 0;
+  let aiFilteredFindings = [];
   if (process.env.ANTHROPIC_API_KEY && allFindings.length > 0) {
     spinner.text = "AI reviewing findings for false positives...";
     spinner.color = "cyan";
@@ -3637,15 +3655,14 @@ async function scanCommand(directory, options) {
           if (content) fileContentsMap.set(f.file, content);
         }
       }
-      const beforeCount = allFindings.length;
-      const filtered = await filterFalsePositives(allFindings, fileContentsMap);
-      const removed = beforeCount - filtered.length;
-      if (removed > 0) {
+      const result2 = await filterFalsePositives(allFindings, fileContentsMap);
+      aiReviewed = result2.aiReviewed;
+      aiRemovedCount = result2.removedCount;
+      aiTotalBefore = result2.totalBefore;
+      aiFilteredFindings = result2.filteredFindings;
+      if (result2.removedCount > 0) {
         allFindings.length = 0;
-        allFindings.push(...filtered);
-      }
-      if (removed > 0 && verbose) {
-        spinner.info(`AI review removed ${removed} false positive${removed !== 1 ? "s" : ""}`);
+        allFindings.push(...result2.findings);
       }
     } catch {
     }
@@ -3676,6 +3693,22 @@ async function scanCommand(directory, options) {
       renderTerminalReport(result, fileContentsForAnalysis);
       break;
   }
+  if (aiReviewed && !isSilent) {
+    console.log("");
+    if (aiRemovedCount > 0) {
+      console.log(chalk2.cyan("\u{1F916} AI Review: ") + chalk2.white(`${aiTotalBefore} findings scanned \u2192 ${aiRemovedCount} false positive${aiRemovedCount !== 1 ? "s" : ""} filtered \u2192 `) + chalk2.green(`${dedupedFindings.length} verified`));
+    } else {
+      console.log(chalk2.cyan("\u{1F916} AI Review: ") + chalk2.green(`all ${dedupedFindings.length} finding${dedupedFindings.length !== 1 ? "s" : ""} verified`));
+    }
+    if (verbose && aiFilteredFindings.length > 0) {
+      console.log(chalk2.gray(`
+  Filtered findings (AI determined these are false positives):`));
+      for (const { finding: f, reason } of aiFilteredFindings) {
+        console.log(chalk2.gray(`    ${f.severity.toUpperCase().padEnd(8)} ${f.rule} ${f.file}:${f.line}`));
+        console.log(chalk2.gray(`             Reason: ${reason}`));
+      }
+    }
+  }
   if (tier === "free" && !isSilent) {
     console.log("");
     if (userPlan === "anonymous") {