Conversation
- Introduce global and rule-scoped allowlist patterns in SecretDetectionConfig - Suppress secret findings matching allowlist regex before reporting - Track suppression counts and breakdown in scan metadata - Extend SecretFinding and Finding with secret_metadata for detailed context - Implement SecretVerificationState for secret findings and API responses - Update tests for allowlist suppression and metadata propagation This enables flexible exclusion of known or placeholder secrets and improves triage accuracy.
- Update MSRV references to 1.91+ in docs, badges, clippy, Dockerfile, and Cargo.toml files - Add SAST config options: js_ts_frontend, min_finding_severity, min_finding_confidence, require_data_flow_evidence_for_dataflow, require_recommendation - Introduce VulnerabilityFindingMetadata and data flow trace types to Finding entity - Add parser frontend selection logic and OXC integration for JS/TS analysis - Register modules in composition root for explicit dependency injection - Add new SAST rules for Lodash prototype pollution (JS) and tarfile path traversal (Python) - Provide CVE test fixtures for new rules - Include SAST scale benchmark example for performance profiling These changes enable progressive rollout of OXC for JS/TS, fine-grained policy gating for findings, and richer vulnerability metadata for downstream consumers.
- Add .githooks/pre-commit for formatting, lint, and test enforcement - Add .pre-commit-config.yaml for pre-commit integration - Introduce docs/README.md as workspace onboarding and crate index - Update .gitignore to allow vulnera-cli workspace tracking - Remove tree-sitter-grep from Cargo.toml dependencies - Clean up README.md: add workspace docs link, remove team/community section - Update Dockerfile comment for NVD data directory - Expand CHANGELOG.md for CLI architecture, SAST remediation, and test coverage
- Replace nested if/let patterns with Rust let-chains to flatten conditionals across many modules (vulnera-api, vulnera-core, vulnera-deps, vulnera-orchestrator, vulnera-sast, vulnera-secrets, vulnera-llm, vulnera-deps, vulnera-adapter/cli tests, etc.) - Add unit tests for batch dependency analysis to validate request/response file_id contract - Update docs: add vulnera-advisor and vulnera-adapter to workspace overview - Import chrono::Utc where required and apply minor formatting/whitespace cleanups Preserve existing behavior; this is a readability/maintainability refactor with no breaking changes.
- Introduce SAST `quality_gates` in config/default.toml for CI/benchmark enforcement - Add `SastQualityGatesConfig` to vulnera-core::config and include in `SastConfig` with defaults - Update vulnera-sast tests to read gates from config and enforce: - aggregate precision/recall and CWE coverage - primary language gates for Python and combined JS/TS - incremental scan latency ratio test - deep-scan resident memory budget (Linux-only, reads /proc for RSS/HWM) - Centralize thresholds so CI can be tuned via config; failing gates will fail the accuracy tests
- Introduce per-language precision/recall gates and min_languages_with_fixtures threshold, replacing the focused primary-language gates - Add validation for SAST quality gate fields (precision/recall in [0,1], non-zero memory, non-negative duration ratio) to fail fast on invalid config - Improve semantic type matching: normalize type names, add types_compatible helper, handle identifier aliasing and TypeScript annotations, and use the TypeScript tree-sitter grammar separately from JavaScript - Add a C++ fixture to broaden language coverage and update tests: accuracy report now enforces per-language thresholds and new unit tests cover alias/type annotation semantic constraints BREAKING CHANGE: config keys renamed — update config/default.toml (enforce_primary_language_gates → enforce_per_language_gates, python/js_ts_* keys → per_language_min_precision/ per_language_min_recall) and add min_languages_with_fixtures or rely on new defaults
- Add application intelligence utilities (correlation, ranking, correlation index) using deterministic heuristics as a safe baseline for future ML ranking - Add infrastructure sharding (ShardCandidate, WorkShard, build_balanced_shards) for deterministic, balanced partitioning of files across workers/executors - Add SAST CFG foundations (ControlFlowGraph, CfgBuilder, path enumeration, path constraints) to support future path-sensitive data-flow analysis - Export intelligence module and register new infra modules; add tests and interprocedural callback propagation tests to validate taint flow through callbacks - No breaking changes; new functionality is covered by unit tests
- Rename VulnerabilityDataFlowPath/Node -> VulnerabilitySemanticPath/Node and vulnerability metadata field data_flow_path -> semantic_path in vulnera-core to better represent taint evidence as a semantic trace - Update vulnera-sast domain and infra: DataFlowPath/Node -> SemanticPath/Node; build and propagate semantic_path in SAST engine, query engine, match-to-finding, SARIF export, and tests; adjust severity escalation to check semantic_path - Change SastModule builder to keep AnalysisConfig and AST cache, call execute_scan_with_depth_override, and map semantic_path into module results - In vulnera-orchestrator, inject "sast.analysis_depth" into module config based on job.analysis_depth via sast_analysis_depth_for_job and add unit tests for the mapping BREAKING CHANGE: Public types and field names changed (VulnerabilityDataFlowPath / VulnerabilityDataFlowNode, DataFlowPath / DataFlowNode, and data_flow_path -> semantic_path). Update any external consumers/implementations to the new names and the new module config key "sast.analysis_depth" if relying on SAST depth behavior.
Replace BUSL-1.1 with the GNU Affero General Public License v3 in Cargo.toml and commit the full AGPL-3.0-or-later LICENSE text. Add robust LLM response parsing utilities: - New vulnera-llm::infrastructure::response_parser with JSON extraction from fenced code blocks, any fenced code, or first JSON value. - Unit tests for parsing strategies. Wire parser and related changes into the LLM module: - Import ResponseParser in enrich/findings and code-fix use cases. - Export response_parser in vulnera-llm::infrastructure mod. LLM provider and test updates: - Make provider timeouts configurable via timeout_seconds local var. - Add ResilienceConfig wrapper and ResilientProvider wiring in registry. - Update mock provider, tests and domain types to CompletionRequest / CompletionResponse / StreamChunk shapes and streaming helpers. - Adjust integration tests to exercise GoogleAIProvider semantics. Keep changes scoped to licensing and LLM module refactor/adaptations; ensure new parser and tests improve robustness of model output handling.
k5602
added
documentation
k5602
added a commit
that referenced
this pull request
Feb 21, 2026
* feat: Add allowlist regex suppression for secret findings - Introduce global and rule-scoped allowlist patterns in SecretDetectionConfig - Suppress secret findings matching allowlist regex before reporting - Track suppression counts and breakdown in scan metadata - Extend SecretFinding and Finding with secret_metadata for detailed context - Implement SecretVerificationState for secret findings and API responses - Update tests for allowlist suppression and metadata propagation This enables flexible exclusion of known or placeholder secrets and improves triage accuracy. * Raise MSRV to 1.91 and add SAST config gates and metadata - Update MSRV references to 1.91+ in docs, badges, clippy, Dockerfile, and Cargo.toml files - Add SAST config options: js_ts_frontend, min_finding_severity, min_finding_confidence, require_data_flow_evidence_for_dataflow, require_recommendation - Introduce VulnerabilityFindingMetadata and data flow trace types to Finding entity - Add parser frontend selection logic and OXC integration for JS/TS analysis - Register modules in composition root for explicit dependency injection - Add new SAST rules for Lodash prototype pollution (JS) and tarfile path traversal (Python) - Provide CVE test fixtures for new rules - Include SAST scale benchmark example for performance profiling These changes enable progressive rollout of OXC for JS/TS, fine-grained policy gating for findings, and richer vulnerability metadata for downstream consumers. * chore: add workspace git hooks and docs index - Add .githooks/pre-commit for formatting, lint, and test enforcement - Add .pre-commit-config.yaml for pre-commit integration - Introduce docs/README.md as workspace onboarding and crate index - Update .gitignore to allow vulnera-cli workspace tracking - Remove tree-sitter-grep from Cargo.toml dependencies - Clean up README.md: add workspace docs link, remove team/community section - Update Dockerfile comment for NVD data directory - Expand CHANGELOG.md for CLI architecture, SAST remediation, and test coverage * refactor: use let-chains to simplify conditionals - Replace nested if/let patterns with Rust let-chains to flatten conditionals across many modules (vulnera-api, vulnera-core, vulnera-deps, vulnera-orchestrator, vulnera-sast, vulnera-secrets, vulnera-llm, vulnera-deps, vulnera-adapter/cli tests, etc.) - Add unit tests for batch dependency analysis to validate request/response file_id contract - Update docs: add vulnera-advisor and vulnera-adapter to workspace overview - Import chrono::Utc where required and apply minor formatting/whitespace cleanups Preserve existing behavior; this is a readability/maintainability refactor with no breaking changes. * sast: add quality gates and CI tests - Introduce SAST `quality_gates` in config/default.toml for CI/benchmark enforcement - Add `SastQualityGatesConfig` to vulnera-core::config and include in `SastConfig` with defaults - Update vulnera-sast tests to read gates from config and enforce: - aggregate precision/recall and CWE coverage - primary language gates for Python and combined JS/TS - incremental scan latency ratio test - deep-scan resident memory budget (Linux-only, reads /proc for RSS/HWM) - Centralize thresholds so CI can be tuned via config; failing gates will fail the accuracy tests * feat(sast): per-language quality gates and typing - Introduce per-language precision/recall gates and min_languages_with_fixtures threshold, replacing the focused primary-language gates - Add validation for SAST quality gate fields (precision/recall in [0,1], non-zero memory, non-negative duration ratio) to fail fast on invalid config - Improve semantic type matching: normalize type names, add types_compatible helper, handle identifier aliasing and TypeScript annotations, and use the TypeScript tree-sitter grammar separately from JavaScript - Add a C++ fixture to broaden language coverage and update tests: accuracy report now enforces per-language thresholds and new unit tests cover alias/type annotation semantic constraints BREAKING CHANGE: config keys renamed — update config/default.toml (enforce_primary_language_gates → enforce_per_language_gates, python/js_ts_* keys → per_language_min_precision/ per_language_min_recall) and add min_languages_with_fixtures or rely on new defaults * Add intelligence, sharding, and CFG utilities - Add application intelligence utilities (correlation, ranking, correlation index) using deterministic heuristics as a safe baseline for future ML ranking - Add infrastructure sharding (ShardCandidate, WorkShard, build_balanced_shards) for deterministic, balanced partitioning of files across workers/executors - Add SAST CFG foundations (ControlFlowGraph, CfgBuilder, path enumeration, path constraints) to support future path-sensitive data-flow analysis - Export intelligence module and register new infra modules; add tests and interprocedural callback propagation tests to validate taint flow through callbacks - No breaking changes; new functionality is covered by unit tests * refactor(sast): dataflow to semantic path - Rename VulnerabilityDataFlowPath/Node -> VulnerabilitySemanticPath/Node and vulnerability metadata field data_flow_path -> semantic_path in vulnera-core to better represent taint evidence as a semantic trace - Update vulnera-sast domain and infra: DataFlowPath/Node -> SemanticPath/Node; build and propagate semantic_path in SAST engine, query engine, match-to-finding, SARIF export, and tests; adjust severity escalation to check semantic_path - Change SastModule builder to keep AnalysisConfig and AST cache, call execute_scan_with_depth_override, and map semantic_path into module results - In vulnera-orchestrator, inject "sast.analysis_depth" into module config based on job.analysis_depth via sast_analysis_depth_for_job and add unit tests for the mapping BREAKING CHANGE: Public types and field names changed (VulnerabilityDataFlowPath / VulnerabilityDataFlowNode, DataFlowPath / DataFlowNode, and data_flow_path -> semantic_path). Update any external consumers/implementations to the new names and the new module config key "sast.analysis_depth" if relying on SAST depth behavior. * chore(license): Relicense project under AGPL-3.0-or-later Replace BUSL-1.1 with the GNU Affero General Public License v3 in Cargo.toml and commit the full AGPL-3.0-or-later LICENSE text. Add robust LLM response parsing utilities: - New vulnera-llm::infrastructure::response_parser with JSON extraction from fenced code blocks, any fenced code, or first JSON value. - Unit tests for parsing strategies. Wire parser and related changes into the LLM module: - Import ResponseParser in enrich/findings and code-fix use cases. - Export response_parser in vulnera-llm::infrastructure mod. LLM provider and test updates: - Make provider timeouts configurable via timeout_seconds local var. - Add ResilienceConfig wrapper and ResilientProvider wiring in registry. - Update mock provider, tests and domain types to CompletionRequest / CompletionResponse / StreamChunk shapes and streaming helpers. - Adjust integration tests to exercise GoogleAIProvider semantics. Keep changes scoped to licensing and LLM module refactor/adaptations; ensure new parser and tests improve robustness of model output handling.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces several improvements and updates to Vulnera, focusing on CLI architecture, dependency analysis, licensing, and developer tooling. The most significant changes include a major CLI refactor for improved orchestration and user experience, enhanced dependency analysis features, a license update for CLI-related components, and the addition of pre-commit tooling for Rust quality checks. Documentation and configuration files have also been updated to reflect the new minimum supported Rust version (MSRV 1.91) and expanded workspace structure.
CLI Architecture & Tooling
vulnera-clito orchestrate application use-cases for command flows, added shared CLI services for scan-target resolution, and introduced project hook management viavulnera config hooks(install, status, remove) with backend selection for hook installation. Also implemented bulk LLM-backed fix generation and SARIF emission with fix payloads..pre-commit-config.yamland.githooks/pre-commitscripts to enforce Rust formatting, linting, and testing for improved code quality and reliability. [1] [2]Dependency Analysis Enhancements
globset,oxc_allocator,oxc_parser, andoxc_spandependencies for enhanced glob and parsing capabilities.Licensing & Workspace Configuration
AGPL-3.0-or-laterfor CLI, advisors, and LSP (adapter) components; updatedREADME.mdandCargo.tomlto reflect license change and new MSRV (1.91). [1] [2] [3] [4] [5]vulnera-advisorandvulnera-adapteras standalone repositories.Documentation & Dockerfile Updates
Dockerfileto uselandlockas the default sandbox backend, cleaned up user creation and semgrep installation steps, and improved build layer comments. [1] [2] [3] [4] [5] [6] [7]Most important changes: