open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

docs(severity): B3 — document info as scoring-inert (v7.2.0 prep)

Browse source 
Critical-review §2 B3 finding: `riskScore({info: N}) = 0` silently masks
info-volume findings. The behavior was correct (info is scoring-inert by
design) but undocumented. Operators reading a report with N info findings
had no way to know they contribute zero to verdict/band.

Three coordinated edits:
- scanners/lib/severity.mjs JSDoc — explicit "Info severity" subsection
  spelling out: scoring-inert, surfaced in owaspCategorize aggregates,
  treat as observability telemetry not verdict input. @param updated to
  mark info as accepted but ignored.
- CLAUDE.md v7.0.0 risk-score-v2 line — one-sentence anchor pointing to
  severity.mjs JSDoc.
- tests/lib/severity.test.mjs — anchor test alongside the existing
  4-critical=93 anchor: asserts riskScore({info: 50}) === 0,
  riskScore({info: 1000}) === 0, verdict({info: 100}) === 'ALLOW',
  riskBand(riskScore({info: 500})) === 'Low'.

Decision: skip the optional `infoScore()` helper from the brief. No
current consumer would use it; doc-only fix keeps API surface minimal.
Revisit if a consumer emerges.

Tests: 1522 → 1523 (+1 anchor block, 4 assertions). All green.
This commit is contained in:
Kjell Tore Guttormsen 2026-04-29 13:56:11 +02:00
commit 3cd68dc9fb
3 changed files with 23 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
plugins/llm-security/tests/lib/severity.test.mjs
View file

@ -301,6 +301,16 @@ describe('verdict/riskBand co-monotonicity (v7.0.0 §5.4)', () => {
// 70 + min(25, log2(5)*10) = 70 + 23.219... = 93.219 → round → 93.
assert.equal(riskScore({ critical: 4 }), 93);
});
it('info severity is scoring-inert (B3, v7.2.0)', () => {
// Documented contract: `info` counts contribute zero to risk_score,
// do not affect verdict, do not affect riskBand. Pinned here against
// any future change that would (intentionally or not) start scoring info.
assert.equal(riskScore({ info: 50 }), 0);
assert.equal(riskScore({ info: 1000 }), 0);
assert.equal(verdict({ info: 100 }), 'ALLOW');
assert.equal(riskBand(riskScore({ info: 500 })), 'Low');
});
});
// ---------------------------------------------------------------------------