Fix security-scanner and duplicate-detector false positives#63
Open
abk1969 wants to merge 13 commits into
Open
Fix security-scanner and duplicate-detector false positives#63abk1969 wants to merge 13 commits into
abk1969 wants to merge 13 commits into
Conversation
Diagnosed via an external run against AIROI where all 10 reported security issues and the duplicate POST/GET finding were false positives, each traced to a specific regex/allowlist gap in the analyzer embedded in index.html.
…on fixes Task-by-task plan executing the approved design spec, each fix verified against the real analyzer (via card/lib/analyzer.js) before being written down, so every "run the test, expect it to fail/pass" step is grounded in actual measured behavior rather than assumption.
…nd real exec calls
… literal-safety, not just the first Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…g the other rules and the documented behavior Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…ated architecture-diagram grouping issue The previous fixture (tests/fixtures/security-precision-world/test/preview.test.tsx) was correct in intent but its placement — a second file added to an already-populated fixture subdirectory — triggered a pre-existing, unrelated fragility in the architecture-diagram block-grouping logic (out of scope for this branch). Moved to a root-level markdown fixture, which exercises the same isNonProductionPath code path via its file extension instead of its directory, without perturbing directory topology elsewhere in the repo.
|
@abk1969 is attempting to deploy a commit to the braedonsaunders' projects Team on Vercel. A member of the Team first needs to authorize it. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Security Scanner and duplicate-function detector in
detectSecurity/Parser.detectDuplicates(embedded inindex.html) were producing false positives when run against a real external project: no awareness of file role (test/fixture/tooling vs. shipped code), no word-boundary precision on several regexes, and acommonNamesallowlist missing Next.js App Router conventions.This PR adds a shared
isNonProductionPath()classifier (composed from the existingisArchitectureTestFile/isArchitectureFixtureFilehelpers, previously only wired into architecture/dead-code analysis) and applies seven targeted precision fixes:.exec(narrowed tochild_process/cpreceivers so it no longer matches unrelatedregex.exec().query/execute/rawcall receiver instead of matching bare English words; this also fixes a false negative where the old regex was order-dependent and missedSELECT ... ${id}.dangerouslySetInnerHTMLwhen every occurrence in a file resolves to a pure string literal (e.g. static i18n copy), while still flagging variable/expression interpolation; also gated on non-production paths, consistent with the other rules.includes('Function(')substring check that matched things like a comment mentioninggetFunction(x); kept only the anchored\bnew\s+Function\s*\(regex.infofor server-only code (via the existingisArchitectureBackendPathclassifier), since a server-sideconsole.lognever reaches the browser.GET,POST,generateMetadata, etc.) tocommonNames, so framework-mandated exports repeated across route files are no longer flagged as a naming conflict. The separate structuraltype:'code'duplicate detector is intentionally left untouched — genuinely identical bodies are still worth flagging regardless of name.Each fix is backed by a new fixture pair (false-positive case + true-positive case) under
tests/fixtures/security-precision-world/, with corresponding tests in the newtests/security-precision.test.mjs, following the same VM-harness pattern astests/codeflow-golden.test.mjs.Design doc:
docs/superpowers/specs/2026-07-11-security-scanner-precision-design.mdImplementation plan:
docs/superpowers/plans/2026-07-11-security-scanner-precision.mdKnown limitations (out of scope for this PR)
commonNamesadditions cover only Next.js App Router conventions; other frameworks aren't addressed.isNonProductionPathmatches directory segments anywhere in the path (scripts/,tools/,tooling/,docs/), so a real secret in a shippedsrc/scripts/folder would be suppressed — this is the same tradeoff the design doc explicitly accepted.'info'severity (Debug Statements) isn't yet tallied in the UI's High/Medium/Low badge counts, and isn't in the severity sort map atindex.html:1606— display-layer follow-ups, no UI work was in scope here.Test plan
node --testfrom repo root — 47/47 pass (all pre-existing tests unchanged + 9 new tests intests/security-precision.test.mjs)tests/codeflow-golden.test.mjsstays green, unmodifiedgit worktree(not just the working directory) to rule out local-state false positives