Skip to content

Fix security-scanner and duplicate-detector false positives (revised: addresses #63 review)#65

Open
abk1969 wants to merge 18 commits into
braedonsaunders:mainfrom
abk1969:security-scanner-precision
Open

Fix security-scanner and duplicate-detector false positives (revised: addresses #63 review)#65
abk1969 wants to merge 18 commits into
braedonsaunders:mainfrom
abk1969:security-scanner-precision

Conversation

@abk1969

@abk1969 abk1969 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Revised version of #63, closed after the requested-changes review found four merge-blocking scanner regressions. This PR carries the original branch plus five commits addressing every finding, each with regression coverage that reproduces the reviewer's exact repro case. Full suite: 52/52 pass (node --test; 47 at review time + 5 new regression tests).

Review findings → fixes

Finding Fix Regression coverage
SQL template injection checked only in the first query/execute/raw call 939161c — replaced the single .match(...) with a global-regex loop over every db call lib/db.ts fixture now has a safe db.query("SELECT 1") before the vulnerable template-literal query (the reported repro); test verified RED pre-fix
node:child_process no longer detected a5ffa6a — added (?:node:)? to both the require and from regex alternatives server/logger.ts fixture exercises import { exec } from "node:child_process" + exec(userInput); acbc828 additionally proves the require("node:child_process") alternative in isolation via an in-memory synthetic-file test (revert-verified RED)
isNonProductionPath(fn.file) disabled structural type:"code" duplicate detection, contradicting the PR body c50ed30 — removed the guard from the structural codeGroups loop only; the documented name-based fnByName guard is unchanged Synthetic two-file structural duplicate under tests/ + tools/ paths asserts a type:'code' finding; RED pre-fix
info severity absent from severity sort map and High/Medium/Low UI totals/styles 07b754f — added info:3 to the sort map, an Info totals badge, .security-item.info styling, and an info branch in getSeverityColor Synthetic three-file ordering test that deterministically failed pre-fix (the undefined rank made the comparator return NaN, leaking scan order)

The behavior of flagging a child_process import without a call is pre-existing and was left unchanged; the blocking defect was the missed node: specifier form.

🤖 Generated with Claude Code

abk1969 and others added 18 commits July 11, 2026 23:47
Diagnosed via an external run against AIROI where all 10 reported
security issues and the duplicate POST/GET finding were false
positives, each traced to a specific regex/allowlist gap in the
analyzer embedded in index.html.
…on fixes

Task-by-task plan executing the approved design spec, each fix verified
against the real analyzer (via card/lib/analyzer.js) before being written
down, so every "run the test, expect it to fail/pass" step is grounded in
actual measured behavior rather than assumption.
… literal-safety, not just the first

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…g the other rules and the documented behavior

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…ated architecture-diagram grouping issue

The previous fixture (tests/fixtures/security-precision-world/test/preview.test.tsx)
was correct in intent but its placement — a second file added to an
already-populated fixture subdirectory — triggered a pre-existing, unrelated
fragility in the architecture-diagram block-grouping logic (out of scope for
this branch). Moved to a root-level markdown fixture, which exercises the
same isNonProductionPath code path via its file extension instead of its
directory, without perturbing directory topology elsewhere in the repo.
…t the first

.match() without /g only inspected the first query/execute/raw call in a
file, so a safe first call hid a vulnerable second one. Iterate all db
calls with a global regex and flag if any argument list interpolates a
SQL keyword via template literal.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…on rule

The require() and from-import alternatives in the Command Execution regex
only matched the bare 'child_process' specifier, so
import { exec } from "node:child_process"; exec(userInput); produced no
finding. Both alternatives now accept an optional node: prefix.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ection

The prior regression test's server/logger.ts fixture satisfies the
Command Execution rule via its `from` import alone, so it couldn't
independently prove the `require` alternative's node: prefix handling.
Add an in-memory synthetic-file test (buildAnalysisData with a single
fabricated file, no fixture-tree file added) isolating a bare
require("node:child_process") call with no import and no dot-notation
exec() call.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ction paths

The codeGroups loop in Parser.findDuplicates had picked up the same
isNonProductionPath(fn.file) guard as the name-based fnByName loop,
silently suppressing type:"code" structural duplicate findings for
tests/fixtures/tooling/docs paths. Only the name-based loop guard was
intentional; remove it from the structural loop to match the PR's
stated scope.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
commit 9254993 introduced severity:'info' for backend Debug Statements
findings but never wired it into the places that assume only
high/medium/low exist: the severity sort comparator produced NaN for
info (unstable ordering), the security tab totals row had no Info
badge, .security-item had no info variant, and getSeverityColor
treated info identically to low.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 13, 2026

Copy link
Copy Markdown

@abk1969 is attempting to deploy a commit to the braedonsaunders' projects Team on Vercel.

A member of the Team first needs to authorize it.

@abk1969

abk1969 commented Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

Hello,
Fable helped me to fix PR#63.
Best regards!
Abbas

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant