a65c7f4080
Replace count-based pass-rate with severity-weighted penalty: - penalty = sum(count[s] * WEIGHTS[s]) - maxBudget = max(10, findingCount * 4) - passRate = max(0, 100 - penalty / maxBudget * 100) A few lows no longer crater an area's grade; a single high or critical consumes a large fraction of budget. Mirrors the operator intuition that severity, not count, is the signal. BREAKING (intentional): scoring semantics differ from v4 for non-clean configs. Add scoringVersion: 'v5' to the returned struct so consumers can detect the version. baseline-all-a remains all-A (no critical/high on that fixture). Tests: +6 cases for severity weighting; existing "many findings" test updated to use highs (where v5 still drops the grade as expected). |
||
|---|---|---|
| .. | ||
| fixtures | ||
| hooks | ||
| lib | ||
| scanners | ||