npm - xploitscan - Versions diffs - 1.1.3 → 1.1.4 - Mend

xploitscan 1.1.3 → 1.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -43512,7 +43512,25 @@ var ALWAYS_IGNORE = [
   "*.map",
   "package-lock.json",
   "pnpm-lock.yaml",
-  "yarn.lock"
+  "yarn.lock",
+  // Intentionally-vulnerable test corpora. Security tools (XploitScan,
+  // Semgrep, Bearer, Gitleaks, Snyk Code) all maintain directories of
+  // known-bad code samples used to verify that rules fire. Scanning
+  // them produces a flood of "critical" findings on the scanner's own
+  // dogfood, drowning the signal from real product code. Skip by
+  // default. Users who genuinely want to scan a fixture directory can
+  // override via .xploitscanignore (the negation syntax `!test-
+  // fixtures/` un-ignores it).
+  //
+  // We only match these as directory names anywhere in the tree, so a
+  // project whose actual source happens to live under a path called
+  // `fixtures-prod/` is unaffected.
+  "test-fixtures",
+  "test-fixtures/**",
+  "__fixtures__",
+  "__fixtures__/**",
+  "vulnerable-samples",
+  "vulnerable-samples/**"
 ];
 async function collectFiles(directory) {
   const ig = ignore.default();
@@ -45531,7 +45549,21 @@ For each finding, respond ONLY with a JSON array. No other text.
 Each element: {"index": <number>, "verdict": "real" or "fp", "reason": "<1 sentence>"}`;
 var MAX_FINDINGS_PER_BATCH = 15;
 var MAX_CONTEXT_LINES = 10;
-var MAX_TOTAL_FINDINGS = 50;
+var DEFAULT_MAX_TOTAL_FINDINGS = 200;
+var MAX_TOTAL_FINDINGS = (() => {
+  const raw = process.env.XPLOITSCAN_AI_FILTER_MAX;
+  if (!raw) return DEFAULT_MAX_TOTAL_FINDINGS;
+  const n = parseInt(raw, 10);
+  if (!Number.isFinite(n) || n < 1) return DEFAULT_MAX_TOTAL_FINDINGS;
+  return Math.min(n, 1e3);
+})();
+var SEVERITY_PRIORITY = {
+  critical: 0,
+  high: 1,
+  medium: 2,
+  low: 3,
+  info: 4
+};
 function getExpandedContext(content, line, contextLines = MAX_CONTEXT_LINES) {
   const lines = content.split("\n");
   const start = Math.max(0, line - 1 - contextLines);
@@ -45579,8 +45611,13 @@ async function filterFalsePositives(findings, fileContents) {
   const empty = { findings, filteredFindings: [], aiReviewed: false, removedCount: 0, totalBefore: findings.length };
   if (!process.env.ANTHROPIC_API_KEY) return empty;
   if (findings.length === 0) return empty;
-  const toReview = findings.slice(0, MAX_TOTAL_FINDINGS);
-  const overflow = findings.slice(MAX_TOTAL_FINDINGS);
+  const prioritized = [...findings].sort((a, b) => {
+    const pa = SEVERITY_PRIORITY[(a.severity || "").toLowerCase()] ?? 5;
+    const pb = SEVERITY_PRIORITY[(b.severity || "").toLowerCase()] ?? 5;
+    return pa - pb;
+  });
+  const toReview = prioritized.slice(0, MAX_TOTAL_FINDINGS);
+  const overflow = prioritized.slice(MAX_TOTAL_FINDINGS);
   const totalBefore = findings.length;
   const byFile = /* @__PURE__ */ new Map();
   for (const f of toReview) {
@@ -48182,7 +48219,7 @@ async function cursorInstallCommand(opts = {}) {
 var program = new Command();
 program.name("xploitscan").description(
   "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do."
-).version("1.1.3");
+).version("1.1.4");
 program.command("scan").description("Scan a directory for security vulnerabilities").argument("[directory]", "Directory to scan", ".").option("--no-ai", "Skip AI-powered analysis").option(
   "-f, --format <format>",
   "Output format: terminal, json, sarif, splunk-hec, elastic-ecs, datadog-logs",