Kjell Tore Guttormsen
ce3891bdd0
Single-file SPA playground har nå parser + renderer for alle 18 produces_report=true-kommandoer (Fase 2: 10 høy-prio + Fase 3: 8 gjenstående: mcp-inspect, supply-check, pre-deploy, diff, watch, registry, clean, threat-model). 18 markdown test-fixtures fungerer som kontrakt-anker for parser-utvikling. Komplett demo-prosjekt `dft-komplett-demo` har alle 18 rapporter ferdig parsed inline — klikk-gjennom uten "parser ikke implementert"- paneler. 2 nye archetypes i KEY_STATS_CONFIG: kanban-buckets (clean) og matrix-risk (threat-model). Bug-fix: normalizeVerdictText sjekker nå GO-WITH-CONDITIONS / CONDITIONAL / BETINGET FØR plain GO så betinget verdict (pre-deploy med åpne vilkår) ikke kollapser til ALLOW. Eksponert 11 window-globaler for testing/automasjon (__store, __navigate, __loadDemoState, __PARSERS, __RENDERERS, __CATALOG, __inferVerdict, __inferKeyStats, __renderPageShell, __handlePasteImport, __scheduleRender). 12 Playwright-genererte screenshots i playground/screenshots/v7.5.0/. A11Y-rapport (WCAG 2.1 AA): 0 blokkerende, 3 mindre forbedringer flagget for v7.5.x patch (skip-link, heading-hierarki på project, aria-live toast). Versjonsbump 7.4.0 -> 7.5.0 i 10 filer (package.json, plugin.json, CLAUDE.md header, README badge, CHANGELOG-entry, 3 scanner VERSION- konstanter, ROADMAP, marketplace-rot README). Ingen scanner- eller hook-behavior-changes — purely additive surface. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
109 lines
3.6 KiB
Markdown
109 lines
3.6 KiB
Markdown
# IDE-Extension Scan
|
|
|
|
---
|
|
|
|
## Header
|
|
|
|
| Field | Value |
|
|
|-------|-------|
|
|
| **Report type** | ide-scan |
|
|
| **Target** | installed VS Code + JetBrains extensions |
|
|
| **Date** | 2026-05-05 |
|
|
| **Version** | llm-security v7.4.0 |
|
|
| **Scope** | 47 VS Code extensions + 12 JetBrains plugins |
|
|
| **Frameworks** | OWASP LLM Top 10, OWASP Agentic |
|
|
| **Triggered by** | /security ide-scan |
|
|
|
|
---
|
|
|
|
## Risk Dashboard
|
|
|
|
| Metric | Value |
|
|
|--------|-------|
|
|
| **Risk Score** | 28/100 |
|
|
| **Risk Band** | Medium |
|
|
| **Grade** | C |
|
|
| **Verdict** | WARNING |
|
|
|
|
| Severity | Count |
|
|
|----------|------:|
|
|
| Critical | 0 |
|
|
| High | 1 |
|
|
| Medium | 4 |
|
|
| Low | 7 |
|
|
| Info | 12 |
|
|
| **Total** | **24** |
|
|
|
|
**Verdict rationale:** One high-severity finding: a JetBrains plugin (`acme-helper`) declares `Premain-Class` (javaagent retransform) which is the riskiest IDE-extension pattern.
|
|
|
|
---
|
|
|
|
## Scan Coverage
|
|
|
|
| IDE | Extensions Scanned | Findings |
|
|
|-----|-------------------:|---------:|
|
|
| VS Code | 47 | 8 |
|
|
| Cursor | 12 (subset of VS Code) | 2 |
|
|
| IntelliJ IDEA | 12 | 14 |
|
|
| **Total** | **59** | **24** |
|
|
|
|
---
|
|
|
|
## Findings
|
|
|
|
### High
|
|
|
|
| ID | Extension | IDE | Description | OWASP |
|
|
|----|-----------|-----|-------------|-------|
|
|
| IDE-001 | acme-helper | IntelliJ | Declares `Premain-Class` — javaagent retransform attack surface | ASI04 |
|
|
|
|
### Medium
|
|
|
|
| ID | Extension | IDE | Description | OWASP |
|
|
|----|-----------|-----|-------------|-------|
|
|
| IDE-002 | dark-theme-pro | VS Code | Theme contains `extension.js` (theme-with-code) | LLM06 |
|
|
| IDE-003 | rest-client-typo | VS Code | Typosquat: Levenshtein 2 vs `rest-client` (top-100) | LLM03 |
|
|
| IDE-004 | ace-helper | IntelliJ | Long `<depends>` chain (12 plugins) — large surface | LLM03 |
|
|
| IDE-005 | json-fast | VS Code | activationEvents includes `*` (broad activation) | ASI04 |
|
|
|
|
### Low
|
|
|
|
| ID | Extension | IDE | Description | OWASP |
|
|
|----|-----------|-----|-------------|-------|
|
|
| IDE-006 | git-graph | VS Code | Native binary `.dylib` shipped (verified signature OK) | — |
|
|
| IDE-007 | gradle-helper | IntelliJ | Native binary `.so` shipped (Linux ELF) | — |
|
|
| IDE-008 | vsc-cmd | VS Code | `vscode:uninstall` hook present | — |
|
|
| IDE-009 | shaded-jar-pro | IntelliJ | Shaded jar advisory (3 jars) | — |
|
|
| IDE-010 | rest-client-typo | VS Code | Same as IDE-003: typosquat suspicion | LLM03 |
|
|
| IDE-011 | code-splitter | VS Code | activationEvents `onStartupFinished` (broad) | ASI04 |
|
|
| IDE-012 | java-fmt | IntelliJ | Premain-Class candidate (lower confidence) | ASI04 |
|
|
|
|
### Info
|
|
|
|
12 informational findings (mostly publisher metadata + extension-pack expansions). See envelope for full list.
|
|
|
|
---
|
|
|
|
## Per-IDE Recommendations
|
|
|
|
### VS Code
|
|
|
|
1. **Medium:** Investigate `dark-theme-pro` — themes should not ship code.
|
|
2. **Medium:** Compare `rest-client-typo` to `rest-client` — likely typosquat. Uninstall.
|
|
3. **Medium:** Audit `json-fast` activation events; consider replacing with narrower scope.
|
|
|
|
### IntelliJ IDEA / JetBrains
|
|
|
|
1. **High:** Manually verify `acme-helper` Premain-Class is legitimate. Consider disabling.
|
|
2. **Medium:** Reduce `ace-helper` depends-chain or replace.
|
|
3. **Low:** Verify shaded-jar advisories (`shaded-jar-pro`) — known shading is normal but creates supply-chain opacity.
|
|
|
|
---
|
|
|
|
## Methodology
|
|
|
|
7 VS Code-specific checks (blocklist, theme-with-code, sideload, broad activation, typosquat, extension-pack, dangerous hooks) + 7 JetBrains checks (Premain-Class, native binaries, depends chain, theme-with-code, broad activation, typosquat, shaded jars). Reused scanners (UNI/ENT/NET/TNT/MEM/SCR) per extension. Offline mode by default.
|
|
|
|
---
|
|
|
|
*IDE-scan complete. 59 extensions, 24 findings, 8.9 seconds.*
|