Merged
Conversation
Introduces severity badge display and per-organization severity breakdowns in the Rules component, with supporting CSS for both light and dark themes. Adds a new 'Export All Matches' button to download all matches as consolidated JSON, and enhances timestamp display with instant tooltips showing local and relative time. Also includes utility/test updates and adds Vitest as a dev dependency.
Introduces suppression analytics to backtest results, including actual alerts, suppressed counts, and breakdowns per organization. Adds UI components for suppression summaries, alert distribution sparkline, and improved statistics display. Updates export functions to include suppression metadata and refines sorting and display logic for organization results.
CRITICAL SECURITY FIX: Updated JWT authentication to send credentials in POST request body instead of URL query parameters. Previously, the application was sending the organization ID (oid), user ID (uid), and API key (secret) as URL query parameters in GET requests to jwt.limacharlie.io. This is insecure as credentials in URLs are: - Logged in browser history - Captured in server access logs - Visible in network monitoring tools - Exposed in developer tools - May be cached by proxies/CDNs Changes made: src/composables/useAuth.ts: - generateFreshJWT(): Changed from GET with URL params to POST with form-encoded body (line 97-104) - generateJWTForOrg(): Changed from GET with URL params to POST with form-encoded body (line 137-144) - testCredentials(): Changed from GET with URL params to POST with form-encoded body (line 175-182) src/components/Config.vue: - generateJWTForOrg(): Changed from GET with URL params to POST with form-encoded body (line 1190-1197) All four functions now: - Use POST method instead of GET - Send credentials in request body with Content-Type: application/x-www-form-urlencoded - Include all three required parameters: oid, uid, and secret - Properly URL-encode values with encodeURIComponent() This implementation follows the LimaCharlie API documentation at https://docs.limacharlie.io/docs/api-keys and industry security best practices for handling sensitive credentials.
This commit applies consistent formatting and indentation across multiple files, including test specs, utility functions, and the Rules.vue component. It improves code readability by reducing unnecessary line breaks, simplifying expressions, and clarifying nested function calls. No functional changes are introduced.
Documents the new validation test suite for DetectionForge, including its location, usage, and guidelines for maintaining alignment with LimaCharlie detection logic operators. Provides instructions for running the suite and updating fixtures and documentation as new validation behaviors are introduced.
Introduces an optional 'metadata' field to both 'add tag' and 'remove tag' action schemas, allowing custom metadata to be attached. Updates example usages to demonstrate the new field.
Bumps version to 1.8.0 and updates the changelog and README with new features: severity breakdown visualization, suppression tracking, match export, and a critical security fix for JWT credential handling. Also includes documentation and code formatting improvements.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This release enhances backtest analytics with suppression tracking, adds severity breakdown visualization, and fixes a critical JWT authentication security vulnerability. Key improvements include sparkline alert distribution visualization, comprehensive suppression analytics with actual vs suppressed alert tracking, and corrected operator schema validation for exists, architecture, and lookup operators.
Reviewed Changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| src/utils/version.ts | Version bump to 1.8.0 with changelog entry |
| src/utils/suppression.ts | New utility for suppression logic including template rendering and alert tracking |
| src/utils/drValidation.ts | Enhanced validation for lookup, metadata_rules, truthy, and operator-specific fields |
| src/utils/drSchema.ts | Fixed schema definitions for exists, platform, architecture, and lookup operators |
| src/utils/drConstants.ts | Added truthy and metadata_rules to valid properties |
| src/utils/tests/fixtures/validDetectRules.ts | New test fixtures for real-world detection rules |
| src/utils/tests/drValidation.spec.ts | Comprehensive test suite for detection logic validation |
| src/composables/useAuth.ts | Security fix: JWT authentication changed from GET to POST |
| src/components/Rules.vue | Extensive UI enhancements for suppression tracking and severity visualization |
| src/components/Config.vue | JWT authentication security fix |
| src/assets/styles.css | New styles for severity badges, suppression indicators, and sparkline charts |
| src/tests/suppression.spec.ts | Unit tests for suppression functionality |
| package.json | Version bump and vitest dependency added |
| README.md | Documentation for validation test suite |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
fix: replace any types with Record<string, unknown> in test file
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enhanced backtest analytics with severity breakdown, suppression tracking, and critical security fix
✨ Added
Severity breakdown visualization with color-coded badges (critical/high/medium/low/info) and per-severity hit counts in backtest results
Suppression analytics tracking actual vs suppressed alerts with sparkline visualization of alert patterns
Export all matches functionality for consolidated JSON export of detection matches across organizations
Validation Test Suite documentation in README with comprehensive test coverage details
🔄 Changed
Code formatting improvements for better readability and maintainability across multiple files
🐛 Fixed
Operator schema validation: Corrected field requirements for exists, is platform, architecture operators (is 32 bit, is 64 bit, is arm), and lookup operator
Tag action schema now correctly supports metadata field for enhanced tagging capabilities
🔒 Security
JWT authentication credential exposure - Changed from GET with URL parameters to POST with form-encoded body, preventing credential exposure in browser history, server logs, network monitoring, and proxy caches