Skip to content

fix(detectors): framework detector fp/fn corpus pass#341

Open
TBX3D wants to merge 4 commits into
vmfunc:mainfrom
TBX3D:harden-detectors-clean
Open

fix(detectors): framework detector fp/fn corpus pass#341
TBX3D wants to merge 4 commits into
vmfunc:mainfrom
TBX3D:harden-detectors-clean

Conversation

@TBX3D

@TBX3D TBX3D commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

several framework detectors keyed on signatures that either dropped valid
signal or diluted a real match. django's csrfmiddlewaretoken pattern was
marked HeaderOnly even though it's a hidden form body field, so it never
matched. aspnet's weak .aspx/.ashx/.asmx path-extension signatures diluted
confidence below threshold on a response carrying only header markers;
they're dropped, and version extraction for aspnet/flask now also
searches canonical header text so header-shaped versions
(X-AspNet-Version, Werkzeug's Server header) are found.

a pinned fp/fn corpus test (hardening_test.go) locks in both the positive
and prose-false-positive case for each of the affected detectors.

csrfmiddlewaretoken is a hidden form body field django templates
render, never a header, so marking it HeaderOnly meant it could never
match and a real django form page (csrf field plus csrftoken cookie)
went undetected.
@TBX3D TBX3D requested a review from vmfunc as a code owner July 9, 2026 21:17
@codecov-commenter

codecov-commenter commented Jul 9, 2026

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@7ea1cd2). Learn more about missing BASE report.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #341   +/-   ##
=======================================
  Coverage        ?   60.11%           
=======================================
  Files           ?       81           
  Lines           ?     6884           
  Branches        ?        0           
=======================================
  Hits            ?     4138           
  Misses          ?     2454           
  Partials        ?      292           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions github-actions Bot added scan changes to scan engine tests test changes size/l <500 lines changed labels Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

pr summary

5 files changed (+285 -14)

category files
go source 5
tests 1

@TBX3D TBX3D force-pushed the harden-detectors-clean branch from 87db7cb to dfde6d6 Compare July 9, 2026 21:52
TBX3D added 3 commits July 9, 2026 16:43
version extraction only ever searched the response body, so
header-shaped patterns like ASP.NET's "X-AspNet-Version: x.y.z" or
Flask's "Werkzeug/x.y.z" Server header could never match even when the
detector itself fired off that same header. add
ExtractVersionFromResponse, which also searches canonical header
lines, and point aspnet and flask at it. fix the aspnet header regexes
to match case-insensitively, since Go canonicalizes header names
("X-AspNet-Version" becomes "X-Aspnet-Version") and the old literal
pattern never matched the canonical form.
promote the ad-hoc probe/sweep scratch tests used to find these
defects into a proper regression file: for each fix, assert both the
real-product positive still detects and the prose/other-product
negative does not, plus a sweep of unrelated pages against every
registered detector.
@TBX3D TBX3D force-pushed the harden-detectors-clean branch from dfde6d6 to 86cb567 Compare July 9, 2026 23:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

scan changes to scan engine size/l <500 lines changed tests test changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants