websec-validator 0.2.5__tar.gz → 0.2.6__tar.gz

{websec_validator-0.2.5/src/websec_validator.egg-info → websec_validator-0.2.6}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.5
+Version: 0.2.6
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT

{websec_validator-0.2.5 → websec_validator-0.2.6}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "websec-validator"
-version = "0.2.5"
+version = "0.2.6"
 description = "Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app."
 readme = "README.md"
 requires-python = ">=3.11"

{websec_validator-0.2.5 → websec_validator-0.2.6}/src/websec_validator/findings.py

@@ -184,7 +184,9 @@ def build_ledger(facts: dict, unified: dict | None, dynamic: dict | None = None,
         cat = t.get("category", "")
         cls = cat_to_class.get(cat, "sast")
         sev = t.get("severity", "MEDIUM")
-        conf = "HIGH" if cat in ("secret",) or (cat == "sca" and sev in ("HIGH", "CRITICAL")) else "MEDIUM"
+        # Confidence follows severity for secrets/CVEs: a generic-api-key tiered down to MEDIUM
+        # (low-precision rule, bug-072) should NOT be stamped HIGH-confidence — keep P(real) honest.
+        conf = "HIGH" if (cat in ("secret", "sca") and sev in ("HIGH", "CRITICAL")) else "MEDIUM"
         out.append(_f(t.get("title", cat), f"static-{cat}", cls, sev, conf, t.get("file", ""),
                       [{"layer": "static", "detail": f"{'+'.join(t.get('tools', []))}: {t.get('title','')}"}]))
 

{websec_validator-0.2.5 → websec_validator-0.2.6}/src/websec_validator/scanners.py

@@ -200,6 +200,23 @@ def _aws_secret_tier(secret: str, match: str):
     return None, None
 
 
+# gitleaks/trivy "generic" + entropy/keyword rules are high-recall, low-precision: they fire on
+# public keys, wallet addresses, hashes, env-var refs and test fixtures about as often as real
+# credentials. Tier those to MEDIUM + a verify note (NEVER hide them) so the HIGH secret tier
+# stays trustworthy in a shareable report; specific-format rules (AKIA, private-key, GitHub/
+# Stripe/Slack/JWT, etc.) keep HIGH. (bug-072 — dogfooding a wallet app surfaced ~20 HIGH
+# generic-api-key FPs in committed source.)
+_GENERIC_SECRET_RULES = {"generic-api-key", "generic-api-key-1", "generic", "api-key",
+                         "secret-keyword", "high-entropy", "high-entropy-string", "entropy"}
+_GENERIC_NOTE = ("generic/entropy match — verify it's a live credential "
+                 "(often a public key, address, hash or env-ref, not a secret)")
+
+
+def _generic_secret(rule: str) -> bool:
+    r = (rule or "").lower()
+    return r in _GENERIC_SECRET_RULES or "generic" in r or "entropy" in r
+
+
 def _norm_trivy(data: dict) -> list:
     out = []
     for res in (data.get("Results") or []):
@@ -210,11 +227,14 @@ def _norm_trivy(data: dict) -> list:
                         "title": f"{v.get('PkgName')} {v.get('InstalledVersion')} → {v.get('FixedVersion', '(no fix)')}",
                         "fingerprint": f"cve|{v.get('PkgName')}|{v.get('VulnerabilityID')}"})
         for s in (res.get("Secrets") or []):
+            rid = s.get("RuleID", "")
             sev, note = _aws_secret_tier(s.get("Match", ""), s.get("Code", "") or "")
-            title = f"secret: {s.get('Title') or s.get('RuleID')}" + (f" — {note}" if note else "")
+            if not sev and _generic_secret(rid):
+                sev, note = "MEDIUM", _GENERIC_NOTE
+            title = f"secret: {s.get('Title') or rid}" + (f" — {note}" if note else "")
             out.append({"tool": "trivy", "category": "secret", "severity": sev or _sev(s.get("Severity") or "HIGH"),
-                        "key": s.get("RuleID", ""), "file": tgt, "line": s.get("StartLine", 0),
-                        "title": title, "fingerprint": f"secret|{tgt}|{s.get('RuleID')}"})
+                        "key": rid, "file": tgt, "line": s.get("StartLine", 0),
+                        "title": title, "fingerprint": f"secret|{tgt}|{rid}"})
         for m in (res.get("Misconfigurations") or []):
             out.append({"tool": "trivy", "category": "iac", "severity": _sev(m.get("Severity")),
                         "key": m.get("ID", ""), "file": tgt, "line": 0, "title": (m.get("Title") or "")[:90],
@@ -228,6 +248,8 @@ def _norm_gitleaks(data) -> list:
     for x in rows:
         f, rule = x.get("File", ""), x.get("RuleID", "")
         sev, note = _aws_secret_tier(x.get("Secret", ""), x.get("Match", ""))
+        if not sev and _generic_secret(rule):
+            sev, note = "MEDIUM", _GENERIC_NOTE
         title = f"secret: {(x.get('Description') or rule)[:80]}" + (f" — {note}" if note else "")
         out.append({"tool": "gitleaks", "category": "secret", "severity": sev or "HIGH",
                     "key": rule, "file": f, "line": x.get("StartLine", 0),

{websec_validator-0.2.5 → websec_validator-0.2.6/src/websec_validator.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: websec-validator
-Version: 0.2.5
+Version: 0.2.6
 Summary: Local-first security recon that briefs your AI coding agent: facts + tailored probe scripts, code-in / artifacts-out. No LLM, no server, no running app.
 Author: Ricardo Accioly
 License: MIT

{websec_validator-0.2.5 → websec_validator-0.2.6}/tests/test_hardening.py

@@ -133,5 +133,41 @@ class ProbeRegistrationTests(unittest.TestCase):
         self.assertEqual(ctx["endpoints"]["reads"], ["GET /api/a"])
 
 
+class SecretPrecisionTests(unittest.TestCase):
+    """bug-072: low-precision generic/entropy secret rules -> MEDIUM (+verify note); specific
+    rules (AKIA, private-key, …) keep HIGH. Nothing is hidden."""
+
+    def test_generic_rule_detection(self):
+        self.assertTrue(scanners._generic_secret("generic-api-key"))
+        self.assertTrue(scanners._generic_secret("high-entropy-string"))
+        self.assertFalse(scanners._generic_secret("aws-access-token"))
+        self.assertFalse(scanners._generic_secret("private-key"))
+
+    def test_gitleaks_generic_is_medium_specific_is_high(self):
+        rows = [
+            {"File": "src/lib/chains.ts", "RuleID": "generic-api-key", "Secret": "x" * 40, "Match": "x" * 40, "StartLine": 1},
+            {"File": "src/k.pem", "RuleID": "private-key", "Secret": "-----BEGIN", "Match": "-----BEGIN", "StartLine": 1},
+            {"File": "src/a.ts", "RuleID": "aws-access-token", "Secret": "AKIA" + "A" * 16, "Match": "AKIA" + "A" * 16, "StartLine": 1},
+        ]
+        by = {r["key"]: r for r in scanners._norm_gitleaks(rows)}
+        self.assertEqual(by["generic-api-key"]["severity"], "MEDIUM")
+        self.assertIn("generic/entropy", by["generic-api-key"]["title"])
+        self.assertEqual(by["private-key"]["severity"], "HIGH")          # specific rule untouched
+        self.assertEqual(by["aws-access-token"]["severity"], "HIGH")     # AKIA via _aws_secret_tier
+
+    def test_trivy_generic_secret_is_medium(self):
+        data = {"Results": [{"Target": "src/x.ts", "Secrets": [
+            {"RuleID": "generic-api-key", "Title": "Generic API Key", "Match": "y" * 40, "StartLine": 2}]}]}
+        secs = [f for f in scanners._norm_trivy(data) if f["category"] == "secret"]
+        self.assertEqual(secs[0]["severity"], "MEDIUM")
+
+    def test_medium_secret_gets_medium_confidence_in_ledger(self):
+        unified = {"top": [{"severity": "MEDIUM", "category": "secret",
+                            "title": "secret: Generic API Key — generic/entropy match", "file": "src/x.ts", "tools": ["gitleaks"]}]}
+        led = findings.build_ledger({}, unified, None, [])
+        hit = [f for f in led["findings"] if f["category"] == "static-secret"][0]
+        self.assertEqual(hit["confidence"], "MEDIUM")
+
+
 if __name__ == "__main__":
     unittest.main()