fix(scanner): ignore full-line comments for source rules

2026-05-06 10:50:44 +00:00 · 2026-05-02 16:58:07 -07:00
parent 52cd76a9e2
commit 6548825083
2 changed files with 21 additions and 3 deletions
--- a/src/security/skill-scanner.test.ts
+++ b/src/security/skill-scanner.test.ts
@@ -265,6 +265,15 @@ const match = /^keychain:(.+)$/.exec(value);
    expect(findings.some((f) => f.ruleId === "dangerous-exec")).toBe(false);
  });

+  it("does not use full-line comments as source-rule context", () => {
+    const source = `
+const env = process.env;
+// fetch() can reach the endpoint later.
+`;
+    const findings = scanSource(source, "plugin.ts");
+    expect(findings.some((f) => f.ruleId === "env-harvesting")).toBe(false);
+  });
+
  it("returns empty array for clean plugin code", () => {
    const source = `
 export function greet(name: string): string {
--- a/src/security/skill-scanner.ts
+++ b/src/security/skill-scanner.ts
@@ -233,9 +233,18 @@ function isBenignMemberExecMatch(line: string, match: RegExpExecArray): boolean
  return !/\b(?:cp|childProcess|child_process)\s*\.\s*exec\s*\(/.test(line);
 }

+function stripFullLineCommentsForHeuristics(source: string): string {
+  return source
+    .split("\n")
+    .map((line) => (line.trimStart().startsWith("//") ? "" : line))
+    .join("\n");
+}
+
 export function scanSource(source: string, filePath: string): SkillScanFinding[] {
  const findings: SkillScanFinding[] = [];
  const lines = source.split("\n");
+  const heuristicSource = stripFullLineCommentsForHeuristics(source);
+  const heuristicLines = heuristicSource.split("\n");
  const matchedLineRules = new Set<string>();

  // --- Line rules ---
@@ -291,10 +300,10 @@ export function scanSource(source: string, filePath: string): SkillScanFinding[]
      continue;
    }

-    if (!rule.pattern.test(source)) {
+    if (!rule.pattern.test(heuristicSource)) {
      continue;
    }
-    if (rule.requiresContext && !rule.requiresContext.test(source)) {
+    if (rule.requiresContext && !rule.requiresContext.test(heuristicSource)) {
      continue;
    }

@@ -302,7 +311,7 @@ export function scanSource(source: string, filePath: string): SkillScanFinding[]
    let matchLine = 0;
    let matchEvidence = "";
    for (let i = 0; i < lines.length; i++) {
-      if (rule.pattern.test(lines[i])) {
+      if (rule.pattern.test(heuristicLines[i] ?? "")) {
        matchLine = i + 1;
        matchEvidence = lines[i].trim();
        break;