Skip to content

v0.1.4 - provenance-aware suppression + Windows unicode fix

Choose a tag to compare

@Sonofg0tham Sonofg0tham released this 02 Jul 15:55

Closes the last suppression bypass

The honest-assessment workflow flagged one residual risk in the
`ward-allow-file` directive: an attacker who edits an existing doc
file in a PR could add a directive to silence detection on that file.
This release closes it.

```bash
ward scan-local --suppression-base origin/main
```

With a base ref, Ward only honours directives in files unchanged
since that ref. Any file the current branch or PR touched cannot
suppress detection, so a PR-introduced directive is ignored and the
payload fires. Recommended for CI. Documented in
SECURITY.md and the README.

Fixes a real Windows crash

`_run_git` decoded git output with the Windows locale codepage
(cp1252) instead of UTF-8. Any Cyrillic or emoji commit message would
crash `scan-local` on Windows before Ward ever got to flag it -
i.e. the exact adversarial unicode Ward exists to scan was a
denial-of-service against Ward itself on Windows. Now forces UTF-8
with `errors="replace"`. Regression-tested with a Cyrillic + emoji
commit message.

By the numbers

  • 208 tests (up from 206)
  • New `--suppression-base` flag, new `changed_files` / `ref_exists`
    git helpers, new `trust_suppressions` param on the SDK's
    `build_input`
  • Benchmark unchanged: 75.2% smoke / 53.5% full recall, 0.0% FPR
    (this release is hardening, not detection)
  • mypy strict, ruff clean, CI green on Ubuntu / macOS / Windows x
    Python 3.11 / 3.12 / 3.13

Upgrade

```bash
pipx upgrade ward-scanner
```

```yaml

  • uses: sonofg0tham/ward@v0.1.4
    with:
    fail-on: high
    ```