Conversation
- Rewrite VersionRange::overlaps_with for precise semver interval intersection - Add robust glob pattern matching for dependency ignore rules using globset - Update tests for edge cases in version overlap and glob ignore patterns Enables accurate vulnerability matching and flexible dependency analysis ignores.
- Resolve dependency edges to actual package versions in npm, Ruby, PHP, Python uv, and Rust lockfile parsers - Use pending dependency collection and second-pass resolution to link edges to concrete targets where possible - Infer versions for unresolved dependencies using version requirements or placeholders - Preserve dependency edges for git/path dependencies in Cargo parser for accurate graph analysis - Add helpers in dependency resolver for package keying, registry error mapping, and best version selection This enables more accurate and complete dependency graphs for multi-ecosystem analysis and vulnerability detection.
- Resolve parameter, request body, response, and header references from components - Improve parsing of referenced objects for OpenAPI/Swagger specs feat: expose db_size and info_stats in dragonfly cache - Add methods to query total keys and Redis INFO STATS metrics feat: implement ecosystem cache invalidation and statistics - Invalidate cache entries for a given ecosystem using key patterns - Provide detailed cache statistics from Dragonfly metrics - Replace stubbed cache stats with real values from Redis This improves OpenAPI reference handling and enables cache introspection and targeted invalidation.
…ion parsing - Include SubscriptionTier in QuotaUsage and propagate to API responses - Resolve organization tier dynamically in organization endpoints - Enhance Gradle version parser to handle ranges, selectors, and property refs - Detect JavaScript frameworks from package.json dependencies - Enforce API key TTL > 0 in config validation - Simplify rate limit middleware auth extraction to use EarlyAuthInfo only
- Add `items` field to `ApiSchema` and parse it in `OpenApiParser` - Update `InputValidationAnalyzer` to recurse into array item schemas - Refactor `ResourceRestrictionAnalyzer` to detect arrays via recursive schema walk - Enhance `SecurityHeadersAnalyzer` to check for wildcard CORS origins in header schemas - Add unit test for array item recursion in input validation analyzer
…ex usage in data exposure analyzer
- Update README and configuration reference to clarify default backend (landlock), available options, and new failure mode (best_effort, fail_closed) - Add explanation of backend selection, fallback behavior, and strict mode for sandbox setup feat: Add typed sandbox backend and failure mode config - Introduce SandboxBackendPreference and SandboxFailureMode enums in config - Replace string backend config with strongly-typed variant - Add failure_mode option to SandboxConfig with default best_effort - Update default backend to landlock for safer defaults feat: Support strict fail-closed sandbox mode in executor - Add strict_mode flag to SandboxExecutor and propagate from config - Pass backend and strict flags to worker process - Worker aborts execution if sandbox setup fails in strict mode - WorkerResult includes backend, applied status, and setup error feat: Add SandboxPolicyProfile for module-specific isolation - Introduce SandboxPolicyProfile enum for read-only and dependency resolution profiles - Add for_profile and with_profile methods to SandboxPolicy for easier policy composition - Update tests for new policy profiles and backend config test: Update sandbox tests for typed backend and failure mode - Adjust module_tests to use SandboxBackendPreference and verify new defaults chore: Update documentation and lib.rs for new sandbox defaults - Clarify default backend and fallback behavior in crate docs - Export SandboxPolicyProfile from lib.rs
- Standardize indentation in function calls, match arms, and assertions - Merge redundant derive attributes in structs - Reorder imports for consistency in analysis_context.rs - No functional changes; improves readability and diff clarity
k5602
added
documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces several improvements and enhancements to the sandbox configuration, OpenAPI schema handling, and analyzer logic, along with updates to documentation and unit tests. The changes focus on making sandboxing behavior more explicit and robust, improving recursive schema analysis (especially for arrays), and enhancing detection capabilities in security analyzers.
Sandbox configuration and documentation improvements:
'landlock'and added a newVULNERA__SANDBOX__FAILURE_MODEoption, allowing users to specify behavior on sandbox setup failure (best_effortorfail_closed). Documentation and example configs have been updated accordingly. (README.md,docs/src/reference/configuration.md) [1] [2] [3]OpenAPI schema and analyzer enhancements:
itemsfield to theApiSchemastruct to support array item schemas, and updated analyzers to recursively analyze array items for input validation and resource restriction. (vulnera-api/src/domain/value_objects.rs,vulnera-api/src/infrastructure/analyzers/input_validation_analyzer.rs,vulnera-api/src/infrastructure/analyzers/resource_restriction_analyzer.rs) [1] [2] [3] [4]ResourceRestrictionAnalyzerto more accurately detect arrays nested within object properties and composed schemas, enhancing detection of missing pagination. [1] [2]Security analyzer improvements:
SecurityHeadersAnalyzerto check for wildcard CORS origins by inspecting default, example, and enum values in header schemas, and to set severity based on the risk of allowing all origins. (vulnera-api/src/infrastructure/analyzers/security_headers_analyzer.rs) [1] [2] [3]DataExposureAnalyzerto use static, lazily-initialized regex patterns for JWTs and private keys, improving performance and code clarity. (vulnera-api/src/infrastructure/analyzers/data_exposure_analyzer.rs) [1] [2] [3] [4] [5]Testing and workflow updates:
vulnera-api/tests/unit/analyzers/test_enhanced_analyzers.rs) [1] [2]rust-guardrailsGitHub Actions workflow. (.github/workflows/rust-guardrails.yml)These changes collectively improve configuration clarity, analyzer accuracy, and test coverage for the project.