Skip to content

Releases: RuoJi6/audit-skills

v0.6.3 - Rename to audit-skills

Choose a tag to compare

@RuoJi6 RuoJi6 released this 16 Jun 03:50
  • Rename repository and skill from java-audit-skills/java-audit to audit-skills.\n- Move skill files to skills/audit-skills/.\n- Update README install path and usage examples to /audit-skills.\n- Keep Java and .NET references split, with PHP handled by common audit boundaries.

v0.6.2 — 审计流程与组件扫描增强

Choose a tag to compare

@RuoJi6 RuoJi6 released this 15 Jun 12:00

Full Changelog: v0.6.1...v0.6.2

v0.6.1 — 安装与使用说明补充

Choose a tag to compare

@RuoJi6 RuoJi6 released this 14 Jun 14:28

更新内容

  • 在 README 中补充 Cloud/Codex 安装说明:将 skills/java-audit/ 放置到可识别的 .skills/ 目录下。
  • 校准使用说明:安装后可用 $java-audit 显式触发,也可通过 Java 审计、路由梳理、鉴权梳理等自然语言触发。

验证

  • git diff --check

v0.6.0 — Java 审计技能文档重构

Choose a tag to compare

@RuoJi6 RuoJi6 released this 13 Jun 14:50
16e5007

Highlights

  • 重构并中文化 Java 审计 Skill 文档,主 SKILL.md 聚焦触发条件、工作流、强制边界和成功标准。
  • 将长篇规则、模板、验证材料和框架细节拆分到按需读取的 references/ 文件中。
  • 新增 tools/skill-maintenance/ 维护说明和多个 validator,用于本地检查审计输出边界与结构。
  • 更新组件版本扫描、SQL、鉴权、XXE、文件读取、文件上传、路由映射、调用链追踪和 pipeline 等 Skill 的输出约束。

Validation

  • python3 -m compileall tools/skill-maintenance/validators skills/java-vuln-scanner/scripts
  • git diff --check

Merged PR

  • #21 [codex] 重构 Java 审计技能文档

v0.5.0 — Java 反序列化审计 Skill

Choose a tag to compare

@RuoJi6 RuoJi6 released this 05 Jun 09:50

新增

  • 新增 java-deserialization-audit skill,覆盖 ObjectInputStream、XMLDecoder、Fastjson、XStream、JDBC、Shiro RememberMe、Log4j/JNDI 与 gadget 链审计。
  • 新增反序列化 sink、组件/gadget 条件、payload 约束与报告模板 references。
  • 接入 java-audit-pipeline 阶段 4,新增 agent-6e-deserialization-auditor 按需启动。

更新

  • README 与 skills/README 增加反序列化 skill 描述、使用示例和输出目录。
  • 质量检查模板增加 agent-6e 校验项。
  • 共享严重等级编号新增 DESER

v0.4.0 — 多 agent 路由提取 + pipeline 性能优化

Choose a tag to compare

@RuoJi6 RuoJi6 released this 29 Apr 10:35

✨ 重大更新

多 agent 路由提取(解决大型多模块项目漏路由问题)

  • 阶段1 引入 agent-1-recon 路由侦查 agent + 多个 agent-1-N worker 并行提取 + agent-1-merge 合并
  • 默认 5 个 worker 并发,启动时由用户配置(合法范围 2~10)
  • 路由侦查后用户审计范围确认(gate):可排除 WAR 模块,避免无关模块审计

调度与并发

  • 全局并发上限参数化(max_concurrent_agents
  • 质检员(agent-7-x)独立池调度,不占用 worker 槽位
  • 路由侦查强制独占粒度细化为「逻辑模块级」
  • 波次调度:完成一个、校验一个、立即替补

性能与 token 优化(大型多模块项目实测路由阶段 LLM token 耗光的根因)

  • 路由合并阈值 50 → 150(A+B+C+D)
  • 通配符路由改为「模式族 + URL→方法签名」列表,禁止逐 URL 重复完整模板
  • OUTPUT_TEMPLATE_MODULE 接口区块紧凑化:参数单行;Content-Type/Header 仅在文件上传/SOAP/自定义鉴权时填写
  • worker 不再生成 README/主索引,统一由 agent-1-merge 生成
  • gateway 子功能展开规则;硬阈值 200

其他

  • 脱敏示例项目命名以适配公开仓库

📊 提交清单(自 v0.3.1)

  • a90321c perf(route-mapper): pattern-based wildcard expansion + slim params + drop worker README
  • fb5d0f6 perf(audit-pipeline): wildcard threshold 50→150 + decoupled QA pool (C+D)
  • e4df644 perf(audit-pipeline): raise route merge thresholds 50→150 (A+B)
  • 72db810 feat(audit-pipeline): parameterize concurrency + add user gate after recon
  • 5649f98 feat(audit-pipeline): add hard threshold 200 + gateway sub_function expansion rule
  • d558860 chore: 脱敏示例项目命名以适配公开仓库
  • 40fef6d fix(route-mapper): 明确路由侦查强制独占的粒度为逻辑模块级
  • 1aeca54 feat(pipeline): 全局并发上限 5,引入波次调度
  • e1654a6 feat(pipeline): 阶段1 引入路由侦查 agent + 并行 worker + 合并

🔒 备份

  • backup/main-v0.3.1 分支保留发版前 main 状态

v0.3.1

Choose a tag to compare

@RuoJi6 RuoJi6 released this 16 Apr 09:20

变更内容

  • 移除 route-mapper Burp Suite 模板生成:精简路由输出,仅保留路由+参数结构
  • 更新 references/ 下模板和参考文件同步移除 Burp 引用
  • 更新 pipeline 质检模板,移除 Burp 模板校验项

优化目的

下游审计 Skill 不需要 Burp 模板数据,移除后大幅节省上下文窗口(减少 60-80% 冗余占用),避免千级路由场景下上下文截断导致漏审。

v0.3.0

Choose a tag to compare

@RuoJi6 RuoJi6 released this 09 Apr 10:01
b389e24

Summary

This release covers the unpublished changes in commit range 2584ed33602a99bc72f7503897eea08b936944af..b389e24cf5e97095dc592aacc8114fff6dc3a8d0 on main.
It includes one merged PR that migrates Java decompilation from MCP to CFR CLI, plus two direct commits on main for pipeline delivery and shared skill path updates.

Included PRs

  • PR #8: feat: 将 MCP 反编译调用迁移为 CFR CLI 命令行方式
    • Merged At: 2026-04-09T09:39:35Z
    • Author: RuoJi6
    • Merge Commit Headline: Merge pull request #8 from RuoJi6/feat/mcp-to-cli-decompile
    • Merge Commit SHA: b389e24

Included Commits

  • fix(java-audit-pipeline): 质检员校验报告改为文件交付,避免消息体过大
    • SHA: 2bcfac7
    • Author: ji ruo
    • Committed At: 2026-03-27T21:53:08+08:00
    • Associated PR: none (direct commit to main)
  • rename: shared -> java-shared,更新所有 skill 中的引用路径
    • SHA: f25dd87
    • Author: ji ruo
    • Committed At: 2026-04-09T15:26:18+08:00
    • Associated PR: none (direct commit to main)
  • feat: 将 MCP 反编译调用迁移为 CFR CLI 命令行方式
    • SHA: f476b2d
    • Author: ji ruo
    • Committed At: 2026-04-09T16:33:06+08:00
    • Associated PR: #8
  • fix: 清理残留的 MCP Java Decompiler 文案
    • SHA: 1444e05
    • Author: ji ruo
    • Committed At: 2026-04-09T16:59:47+08:00
    • Associated PR: #8
  • fix: 补充 CFR 关键约束说明(不接受目录、无 --recurse 参数)
    • SHA: f4e41f5
    • Author: ji ruo
    • Committed At: 2026-04-09T17:13:15+08:00
    • Associated PR: #8
  • Merge pull request #8 from RuoJi6/feat/mcp-to-cli-decompile
    • SHA: b389e24
    • Author: RuoJi6
    • Committed At: 2026-04-09T17:39:35+08:00
    • Associated PR: #8 (merge commit)

Version Reason

This release bumps v0.2.0 to v0.3.0 as a minor release.
The deciding change is the new decompilation flow/capability introduced by PR #8 (feat: 将 MCP 反编译调用迁移为 CFR CLI 命令行方式), which fits the "new capability / new process" rule.
The other included changes are fixes and internal path updates. There is not enough evidence of a breaking external behavior change to justify a major release.

Release Target

  • Target Branch: main
  • Target Commit SHA: b389e24cf5e97095dc592aacc8114fff6dc3a8d0
  • Tag: v0.3.0

v0.2.0

Choose a tag to compare

@RuoJi6 RuoJi6 released this 27 Mar 04:51

Summary

  • java-audit-pipeline 新增 scripts 临时脚本目录输出结构,补充流水线可落地执行的中间产物目录。
  • java-audit-pipeline 增加 P2 兜底分级逻辑,在没有 P0/P1 时继续基于有鉴权路由做审计,提高覆盖率。
  • 修复 pipeline 模板占位符替换、脚本目录路径规范、route tracer 输出命名、全量待追踪路由输出和质量校验模式一致性。
  • route-mapper 输出改为按模块子目录组织,提升结果结构化程度。

Included PRs

  • None. No merged PRs landed on main after v0.1.0; all included changes are direct commits in the exact commit range 11dd714701049db4ce475cc1ba75edb9856bed96..2584ed33602a99bc72f7503897eea08b936944af.

Included Commits

  • 44ce92f966d8438573cb11e674ccd2f0aef67327 feat(java-audit-pipeline): 添加 scripts 临时脚本目录到输出结构
  • 164ee00916ce180dd30decac0d75e4f94556de65 refactor(route-mapper): 按模块子目录组织输出文件结构
  • 9c95579e6da5ad6d7d9e8bc0c0a479fabd781a80 fix(java-audit-pipeline): 添加 route_tracer 输出文件命名强制规范
  • a20b324b2247a299a4f4851d104a45b1f2d3143b fix(java-audit-pipeline): 强制占位符替换规则,防止未替换的模板变量传给子 agent
  • 528c2d3df8fe70271835cdfd161f79104dce161e fix(java-audit-pipeline): 统一所有 agent 指令模板添加脚本目录路径规范
  • 1c59faddd54d77abba032e9c80697f62ad57c538 fix(java-audit-pipeline): 强制 agent-4a 全量输出待追踪路由并添加 agent-5 完整性校验
  • b39b393233e1eb8cf7934b123a2daa7d8b339ca7 feat(java-audit-pipeline): 增加 P2 兜底分级逻辑,P0+P1=0 时用有鉴权路由继续审计
  • 2584ed33602a99bc72f7503897eea08b936944af fix(java-audit-pipeline): 修正质量报告审计模式选项与 agent-5 保持一致

Version Reason

  • This release is a minor version bump from v0.1.0 to v0.2.0 because the included changes add new capabilities and workflow behavior in java-audit-pipeline via feat(...) commits, while there is no evidence of breaking or incompatible behavior that would justify a major bump.

Release Target

  • Target branch: main
  • Target commit sha: 2584ed33602a99bc72f7503897eea08b936944af
  • Tag: v0.2.0

v0.1.0

Choose a tag to compare

@RuoJi6 RuoJi6 released this 25 Mar 03:18
11dd714

Summary

  • 修复多个审计 skill、shared 和 pipeline 中的语义陷阱措辞,收紧提示词边界,减少 LLM 幻觉输出
  • 将各 skill 的输出模板外移到 references/OUTPUT_TEMPLATE*.md,精简 SKILL.md
  • 新增统一输出规范 skills/shared/OUTPUT_STANDARD.md,统一命名规则、目录结构和硬约束
  • 引入 【填写】 填充式模板,减少自由格式生成带来的不一致
  • 将 pipeline 的 agent 详细指令外移到 references/agent_*_instructions.md
  • 修复部分模板同步、输出路径和 P0 定义残留问题

Included Areas

  • java-sql-audit
  • java-auth-audit
  • java-xxe-audit
  • java-file-read-audit
  • java-file-upload-audit
  • java-route-mapper
  • java-route-tracer
  • java-vuln-scanner
  • java-audit-pipeline
  • skills/shared/OUTPUT_STANDARD.md
  • skills/shared/SEVERITY_RATING.md

Source

  • Merged PR: #5
  • Title: fix: 修复语义陷阱词汇并重构输出模板到 references 目录