6f86de937a
Final commit in the trustworthy-scoring series. Bundles verdict cutoff
alignment, the last suite of tests, and all documentation touch-points
that quote version numbers or describe v7.0.0 behaviour.
Verdict/band co-monotonicity
- `scanners/lib/severity.mjs` — verdict cutoffs moved from 61/21 to 65/15
so `BLOCK >= 65`, `WARNING >= 15` locks onto the v2 riskBand() boundaries.
Prevents "BLOCK / Medium band" contradictions under the v2 formula.
Scanner hardening (bug fixes from v7.0.0 testing)
- `scanners/entropy-scanner.mjs` — `policy_source` now uses
`existsSync('.llm-security/policy.json')` instead of value-based check.
Old heuristic always reported 'policy.json' because DEFAULT_POLICY now
carries an `entropy.thresholds` section.
- `scanners/lib/file-discovery.mjs` — `.sass` and GPU shader extensions
(`.glsl, .frag, .vert, .shader, .wgsl`) added to TEXT_EXTENSIONS. Without
this, shader files were invisible to file-discovery, so they were never
counted as skipped by the entropy-scanner extension filter.
Tests
- `tests/scanners/entropy-context.test.mjs` (new, 24 tests) — A. File-ext
skip (4), B. Line-level rules 11-17 (8), C. Policy overrides (3).
Fixtures generate 80-char base64 payloads at runtime via
`crypto.randomBytes` to dodge the plugin's own pre-edit credential hook
on the test source.
- `tests/lib/severity.test.mjs` — rewritten with v2 scoring table (70
tests total, was 52).
- `tests/lib/output.test.mjs:243` — "1 critical = score 80" under v2
(was 25 under v1).
- Full suite: 1485/1485 green (was 1461).
Docs
- `CHANGELOG.md` — v7.0.0 entry with BREAKING CHANGES section.
- `README.md` (plugin + marketplace root) — version badge, history table,
plugin-card version string, test count.
- `CLAUDE.md` — header version, "v7.0.0 — Trustworthy scoring" summary
paragraph at the top.
- `docs/security-hardening-guide.md` — new section 6 "Calibration & false
positives" documenting v2 formula, context-aware entropy scanner,
typosquat allowlist, and §6.4 tuning workflow. Existing "Recommended
baseline" section renumbered to §7.
Version bump
- `6.6.0 -> 7.0.0` across package.json, .claude-plugin/plugin.json,
scanners/ide-extension-scanner.mjs VERSION const, README badge,
CLAUDE.md header, marketplace root README card.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
243 lines
11 KiB
JavaScript
243 lines
11 KiB
JavaScript
// entropy-context.test.mjs — False-positive fixtures for v7.0.0 context-aware suppression
|
|
//
|
|
// Covers:
|
|
// A. File-extension skip (.glsl, .css, .svg, .min.js, ...)
|
|
// B. Line-level rules 11-17 (GLSL/CSS-in-JS/HTML/ffmpeg/UA/SQL/error-template)
|
|
// C. User-policy thresholds and suppress_line_patterns
|
|
//
|
|
// Strategy: write a throwaway fixture under os.tmpdir(), discover it, run scan(),
|
|
// assert finding count. Fixture-content strings are built from runtime concatenation
|
|
// to avoid triggering the plugin's own credential-pattern pre-edit hook on the test source.
|
|
|
|
import { describe, it, before, after } from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import { mkdtemp, mkdir, writeFile, rm } from 'node:fs/promises';
|
|
import { randomBytes } from 'node:crypto';
|
|
import { join } from 'node:path';
|
|
import { tmpdir } from 'node:os';
|
|
import { resetCounter } from '../../scanners/lib/output.mjs';
|
|
import { discoverFiles } from '../../scanners/lib/file-discovery.mjs';
|
|
import { scan } from '../../scanners/entropy-scanner.mjs';
|
|
import { _resetCacheForTest } from '../../scanners/lib/policy-loader.mjs';
|
|
|
|
// Random base64 from 60 crypto bytes → 80-char base64, H ≈ 5.4, will classify as
|
|
// HIGH (entropy >= 5.1, len >= 64). Regenerated on module load for each test run.
|
|
// Built at runtime so the plugin's credential-pattern pre-edit hook doesn't flag the
|
|
// test source file. Excludes '/', '+', '=' to avoid breaking JS string syntax.
|
|
function makePayload() {
|
|
const raw = randomBytes(60).toString('base64').replace(/[/+=]/g, 'A');
|
|
return raw.slice(0, 80);
|
|
}
|
|
const PAYLOAD = makePayload();
|
|
|
|
async function writeFixture(root, relPath, content) {
|
|
const abs = join(root, relPath);
|
|
const lastSlash = abs.lastIndexOf('/');
|
|
await mkdir(abs.substring(0, lastSlash), { recursive: true });
|
|
await writeFile(abs, content);
|
|
}
|
|
|
|
async function newRoot(prefix) {
|
|
return mkdtemp(join(tmpdir(), prefix));
|
|
}
|
|
|
|
describe('entropy-scanner context suppression (v7.0.0+)', () => {
|
|
let root;
|
|
|
|
before(async () => {
|
|
root = await newRoot('entropy-ctx-');
|
|
});
|
|
|
|
after(async () => {
|
|
await rm(root, { recursive: true, force: true });
|
|
_resetCacheForTest();
|
|
});
|
|
|
|
describe('A. File-extension skip', () => {
|
|
it('skips .glsl files entirely (no findings)', async () => {
|
|
const fx = await newRoot('ent-glsl-');
|
|
await writeFixture(fx, 'shader.glsl', 'vec4 color = "' + PAYLOAD + '";');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0, 'Expected 0 findings in .glsl, got ' + result.findings.length);
|
|
assert.ok(result.calibration.files_skipped_by_extension >= 1);
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('skips .css files entirely', async () => {
|
|
const fx = await newRoot('ent-css-');
|
|
await writeFixture(fx, 'styles.css', '.x{content:"' + PAYLOAD + '";}');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0);
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('skips .min.js files (compound extension)', async () => {
|
|
const fx = await newRoot('ent-minjs-');
|
|
await writeFixture(fx, 'bundle.min.js', 'var x="' + PAYLOAD + '";');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0);
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('still scans .js files (non-skipped extension)', async () => {
|
|
const fx = await newRoot('ent-js-');
|
|
await writeFixture(fx, 'app.js', 'const blob = "' + PAYLOAD + '";');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.ok(result.findings.length >= 1, 'expected high-entropy .js to still be detected');
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
});
|
|
|
|
describe('B. Line-level suppression rules 11-17', () => {
|
|
it('rule 11: GLSL keyword on line suppresses finding', async () => {
|
|
const fx = await newRoot('ent-rule11-');
|
|
await writeFixture(fx, 'shader.js',
|
|
'const src = "uniform vec3 u_resolution; ' + PAYLOAD + '";');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0, 'expected GLSL keyword line to suppress');
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('rule 12: CSS-in-JS (styled-components) suppresses finding', async () => {
|
|
const fx = await newRoot('ent-rule12-');
|
|
await writeFixture(fx, 'btn.js',
|
|
'const Button = styled.button`:hover { content: "' + PAYLOAD + '"; }`;');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0, 'expected styled-components line to suppress');
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('rule 13: Inline <svg> markup on line suppresses finding', async () => {
|
|
const fx = await newRoot('ent-rule13-');
|
|
await writeFixture(fx, 'Icon.jsx',
|
|
'return (<svg viewBox="0 0 24 24"><path d="' + PAYLOAD + '"/></svg>);');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0, 'expected inline SVG line to suppress');
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('rule 14: ffmpeg filter_complex suppresses finding', async () => {
|
|
const fx = await newRoot('ent-rule14-');
|
|
await writeFixture(fx, 'pipeline.js',
|
|
'run("ffmpeg -filter_complex=[0:v]scale=' + PAYLOAD + '");');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0, 'expected ffmpeg line to suppress');
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('rule 15: browser User-Agent string suppresses finding', async () => {
|
|
const fx = await newRoot('ent-rule15-');
|
|
await writeFixture(fx, 'ua.js',
|
|
'const agent = "Mozilla/5.0 Chrome/120 ' + PAYLOAD + '";');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0, 'expected UA line to suppress');
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('rule 16: SQL DDL on dedicated line suppresses finding', async () => {
|
|
// Line must START with SELECT/INSERT/... — whitespace allowed but no prefix code.
|
|
const fx = await newRoot('ent-rule16-');
|
|
await writeFixture(fx, 'schema.js',
|
|
'// fallback\nSELECT id, data FROM users WHERE tok = \'' + PAYLOAD + '\';\n');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0, 'expected SELECT-anchored line to suppress');
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('rule 16 does NOT over-match generic strings mentioning SELECT', async () => {
|
|
// SQL_STATEMENT is line-anchored; a `const` prefix means no suppression by rule 16.
|
|
const fx = await newRoot('ent-rule16b-');
|
|
await writeFixture(fx, 'app.js',
|
|
'const msg = "SELECT something ' + PAYLOAD + '";');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.ok(result.findings.length >= 1, 'generic code line must not trigger SQL suppression');
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('rule 17: throw new Error template suppresses finding', async () => {
|
|
const fx = await newRoot('ent-rule17-');
|
|
await writeFixture(fx, 'err.js',
|
|
'throw new Error(`Bad input <code>' + PAYLOAD + '</code>`);');
|
|
resetCounter();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0, 'expected throw new Error line to suppress');
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
});
|
|
|
|
describe('C. Policy-driven overrides', () => {
|
|
it('user-policy suppress_line_patterns adds custom suppression', async () => {
|
|
const fx = await newRoot('ent-policy-');
|
|
await writeFixture(fx, 'secret.js', 'const vendor = "' + PAYLOAD + '"; // MY_VENDOR_MARKER');
|
|
await writeFixture(fx, '.llm-security/policy.json', JSON.stringify({
|
|
entropy: { suppress_line_patterns: ['MY_VENDOR_MARKER'] }
|
|
}));
|
|
resetCounter();
|
|
_resetCacheForTest();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0, 'expected user pattern to suppress');
|
|
assert.equal(result.calibration.policy_source, 'policy.json');
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('user-policy suppress_paths skips files whose relPath contains the substring', async () => {
|
|
const fx = await newRoot('ent-paths-');
|
|
await writeFixture(fx, 'src/vendored/big.js', 'var x="' + PAYLOAD + '";');
|
|
await writeFixture(fx, 'src/app.js', 'var y="' + PAYLOAD + '";');
|
|
await writeFixture(fx, '.llm-security/policy.json', JSON.stringify({
|
|
entropy: { suppress_paths: ['vendored/'] }
|
|
}));
|
|
resetCounter();
|
|
_resetCacheForTest();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 1, 'Expected 1 finding (app.js only), got ' + result.findings.length);
|
|
assert.ok(result.calibration.files_skipped_by_path >= 1);
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
|
|
it('user-policy stricter thresholds suppress medium-strength payload', async () => {
|
|
const fx = await newRoot('ent-thresh-');
|
|
await writeFixture(fx, 'cfg.js', 'const blob = "' + PAYLOAD + '";');
|
|
await writeFixture(fx, '.llm-security/policy.json', JSON.stringify({
|
|
entropy: {
|
|
thresholds: {
|
|
critical: { entropy: 6.0, minLen: 256 },
|
|
high: { entropy: 5.8, minLen: 200 },
|
|
medium: { entropy: 5.7, minLen: 150 },
|
|
}
|
|
}
|
|
}));
|
|
resetCounter();
|
|
_resetCacheForTest();
|
|
const discovery = await discoverFiles(fx);
|
|
const result = await scan(fx, discovery);
|
|
assert.equal(result.findings.length, 0, 'expected strict thresholds to suppress medium-strength payload');
|
|
await rm(fx, { recursive: true, force: true });
|
|
});
|
|
});
|
|
});
|