npm - xploitscan - Versions diffs - 1.1.3 → 1.1.5 - Mend

xploitscan 1.1.3 → 1.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -43512,7 +43512,25 @@ var ALWAYS_IGNORE = [
   "*.map",
   "package-lock.json",
   "pnpm-lock.yaml",
-  "yarn.lock"
+  "yarn.lock",
+  // Intentionally-vulnerable test corpora. Security tools (XploitScan,
+  // Semgrep, Bearer, Gitleaks, Snyk Code) all maintain directories of
+  // known-bad code samples used to verify that rules fire. Scanning
+  // them produces a flood of "critical" findings on the scanner's own
+  // dogfood, drowning the signal from real product code. Skip by
+  // default. Users who genuinely want to scan a fixture directory can
+  // override via .xploitscanignore (the negation syntax `!test-
+  // fixtures/` un-ignores it).
+  //
+  // We only match these as directory names anywhere in the tree, so a
+  // project whose actual source happens to live under a path called
+  // `fixtures-prod/` is unaffected.
+  "test-fixtures",
+  "test-fixtures/**",
+  "__fixtures__",
+  "__fixtures__/**",
+  "vulnerable-samples",
+  "vulnerable-samples/**"
 ];
 async function collectFiles(directory) {
   const ig = ignore.default();
@@ -45362,7 +45380,12 @@ var complianceMap = {
 var consoleLogProduction = {
   id: "VC097",
   title: "Console.log Left in Production Code",
-  severity: "low",
+  // Demoted from "low" to "info" 2026-05-11. This is a code-hygiene
+  // signal (leaked debug logs, occasionally PII), not a security
+  // vulnerability in the OWASP sense. Was inflating severity counts
+  // on real codebases (11+ hits on vibecheck's own scan), drowning
+  // the actual security signal.
+  severity: "info",
   category: "Performance",
   description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
   check(content, filePath) {
@@ -45402,7 +45425,11 @@ var todoLeftInCode = {
 var emptyCatchBlock = {
   id: "VC104",
   title: "Empty Catch Block",
-  severity: "medium",
+  // Demoted from "medium" to "info" 2026-05-11. Already a Code-Quality
+  // category — empty catch blocks are a maintainability concern, not a
+  // security vulnerability. Worth flagging, not worth counting as a
+  // security "medium" alongside actual SQL-injection / XSS findings.
+  severity: "info",
   category: "Code Quality",
   description: "Empty catch blocks silently swallow errors, making bugs impossible to diagnose. At minimum, log the error.",
   check(content, filePath) {
@@ -45531,7 +45558,21 @@ For each finding, respond ONLY with a JSON array. No other text.
 Each element: {"index": <number>, "verdict": "real" or "fp", "reason": "<1 sentence>"}`;
 var MAX_FINDINGS_PER_BATCH = 15;
 var MAX_CONTEXT_LINES = 10;
-var MAX_TOTAL_FINDINGS = 50;
+var DEFAULT_MAX_TOTAL_FINDINGS = 200;
+var MAX_TOTAL_FINDINGS = (() => {
+  const raw = process.env.XPLOITSCAN_AI_FILTER_MAX;
+  if (!raw) return DEFAULT_MAX_TOTAL_FINDINGS;
+  const n = parseInt(raw, 10);
+  if (!Number.isFinite(n) || n < 1) return DEFAULT_MAX_TOTAL_FINDINGS;
+  return Math.min(n, 1e3);
+})();
+var SEVERITY_PRIORITY = {
+  critical: 0,
+  high: 1,
+  medium: 2,
+  low: 3,
+  info: 4
+};
 function getExpandedContext(content, line, contextLines = MAX_CONTEXT_LINES) {
   const lines = content.split("\n");
   const start = Math.max(0, line - 1 - contextLines);
@@ -45579,8 +45620,13 @@ async function filterFalsePositives(findings, fileContents) {
   const empty = { findings, filteredFindings: [], aiReviewed: false, removedCount: 0, totalBefore: findings.length };
   if (!process.env.ANTHROPIC_API_KEY) return empty;
   if (findings.length === 0) return empty;
-  const toReview = findings.slice(0, MAX_TOTAL_FINDINGS);
-  const overflow = findings.slice(MAX_TOTAL_FINDINGS);
+  const prioritized = [...findings].sort((a, b) => {
+    const pa = SEVERITY_PRIORITY[(a.severity || "").toLowerCase()] ?? 5;
+    const pb = SEVERITY_PRIORITY[(b.severity || "").toLowerCase()] ?? 5;
+    return pa - pb;
+  });
+  const toReview = prioritized.slice(0, MAX_TOTAL_FINDINGS);
+  const overflow = prioritized.slice(MAX_TOTAL_FINDINGS);
   const totalBefore = findings.length;
   const byFile = /* @__PURE__ */ new Map();
   for (const f of toReview) {
@@ -48182,7 +48228,7 @@ async function cursorInstallCommand(opts = {}) {
 var program = new Command();
 program.name("xploitscan").description(
   "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do."
-).version("1.1.3");
+).version("1.1.5");
 program.command("scan").description("Scan a directory for security vulnerabilities").argument("[directory]", "Directory to scan", ".").option("--no-ai", "Skip AI-powered analysis").option(
   "-f, --format <format>",
   "Output format: terminal, json, sarif, splunk-hec, elastic-ecs, datadog-logs",