open/ktg-plugin-marketplace
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity Actions

feat(llm-security): add .kt .groovy .scala to taint-tracer CODE_EXTENSIONS

Browse source
This commit is contained in:
Kjell Tore Guttormsen 2026-04-18 10:04:32 +02:00
commit 50c0cd3065
2 changed files with 84 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
plugins/llm-security/scanners/taint-tracer.mjs
View file

@ -22,6 +22,8 @@ import { SEVERITY } from './lib/severity.mjs';
// ---------------------------------------------------------------------------
// File extension filter — only scan code files, not config/docs
// JVM-language support (.kt, .kts, .groovy, .gradle, .scala) is required for
// JetBrains plugin scanning — plugin source lives in these languages.
// ---------------------------------------------------------------------------
const CODE_EXTENSIONS = new Set([
@ -32,6 +34,9 @@ const CODE_EXTENSIONS = new Set([
'.rb', '.php',
'.go', '.rs',
'.java', '.cs',
'.kt', '.kts',
'.groovy', '.gradle',
'.scala',
'.sh', '.bash', '.zsh',
]);

79
plugins/llm-security/tests/scanners/taint-tracer.test.mjs Normal file
View file

@ -0,0 +1,79 @@
// taint-tracer.test.mjs — JVM-language CODE_EXTENSIONS coverage
//
// Verifies that the taint-tracer scans Kotlin source files (added in v6.6.0
// to support JetBrains plugin scanning). Creates a tmp fixture with an
// env-var → child_process.exec flow in a .kt file and asserts the scanner
// produces at least one finding.
import { describe, it, before, after } from 'node:test';
import assert from 'node:assert/strict';
import { mkdtemp, writeFile, rm } from 'node:fs/promises';
import { tmpdir } from 'node:os';
import { join } from 'node:path';
import { resetCounter } from '../../scanners/lib/output.mjs';
import { discoverFiles } from '../../scanners/lib/file-discovery.mjs';
import { scan } from '../../scanners/taint-tracer.mjs';
describe('taint-tracer — Kotlin (.kt) support', () => {
let fixtureDir;
before(async () => {
fixtureDir = await mkdtemp(join(tmpdir(), 'llm-security-kt-taint-'));
// Plant a source (process.env-equivalent) → sink (exec) flow in Kotlin.
// The taint-tracer is language-agnostic at the regex level — it matches
// on identifiers like System.getenv, ProcessBuilder, exec. We mirror the
// Node.js process.env pattern to exercise the shared source regex.
const ktSource = [
'class Leak {',
' fun run() {',
// Same-line source -> sink: process.env flows directly into exec()
// Mirrors the JS pattern detected by Pass 2 (same-line CRITICAL).
' Runtime.getRuntime().exec(process.env["USER_CMD"])',
// Variable-propagation case using generic source label user_input
' val tainted = user_input',
' child_process.exec(tainted)',
' }',
'}',
''
].join('\n');
await writeFile(join(fixtureDir, 'Leak.kt'), ktSource, 'utf8');
});
after(async () => {
if (fixtureDir) await rm(fixtureDir, { recursive: true, force: true });
});
it('discovers the .kt file', async () => {
const discovery = await discoverFiles(fixtureDir);
const ktFiles = discovery.files.filter(f => f.ext === '.kt');
assert.ok(ktFiles.length >= 1, `Expected ≥1 .kt file discovered, got ${ktFiles.length}`);
});
it('returns status ok on Kotlin input', async () => {
resetCounter();
const discovery = await discoverFiles(fixtureDir);
const result = await scan(fixtureDir, discovery);
assert.equal(result.status, 'ok', `Expected status 'ok', got '${result.status}'`);
});
it('scans the .kt file (files_scanned >= 1)', async () => {
resetCounter();
const discovery = await discoverFiles(fixtureDir);
const result = await scan(fixtureDir, discovery);
assert.ok(
result.files_scanned >= 1,
`Expected files_scanned >= 1 (Kotlin file should be included), got ${result.files_scanned}`
);
});
it('detects at least one taint flow in Kotlin source', async () => {
resetCounter();
const discovery = await discoverFiles(fixtureDir);
const result = await scan(fixtureDir, discovery);
assert.ok(
result.findings.length >= 1,
`Expected >= 1 taint finding in Kotlin source, got ${result.findings.length}. ` +
`Findings: ${result.findings.map(f => f.title).join('; ')}`
);
});
});