Skip to content

1.0.4 - 2025-09-04

Choose a tag to compare

View all tags
@easypro-tech easypro-tech released this 05 Sep 15:54
· 6 commits to main since this release
v1.0.4
0a706f3

1.0.4 - 2025-09-04

Highlights

  • SARIF 2.1.0 reporting for GitHub Security integration
  • CI/CD pipeline with Docker multi-arch builds
  • Complete documentation overhaul with comparison matrix

Added

  • SARIF 2.1.0 reporter (sarif_reporter.py)
  • Context Matrix framework (6 contexts + polyglot payloads, not yet integrated)
  • 5 How-to guides (quickstart, CI, SARIF, Docker, safe-mode)
  • Example user config (~/.config/brs-xss/config.toml)
  • Benchmark suite (performance + accuracy)

Changed

  • Project description to "Context-aware async XSS scanner for CI"
  • Safe defaults in config/default.yaml
  • PyPI keywords and README for better positioning
  • Dockerfile with multi-stage, security hardened

DevOps

  • GitHub Actions pipeline (ruff, mypy, pytest, codecov)
  • Multi-arch Docker builds (amd64/arm64)
  • Container registry GHCR with signed images
  • Performance monitoring via benchmark framework

Documentation

  • README overhaul with comparison vs XSStrike/XSpear/dalfox
  • Integration guides: GitHub Actions, GitLab CI, Jenkins
  • SARIF integration guide (Security tab setup)
  • Docker deployment guide

Fixed

  • PayloadGenerator stability: Fixed reset_statistics Counter type bug, unified detected_wafs types
  • Statistics calculation: Added proper success_rate updates with exponential smoothing
  • Memory optimization: Lazy Context Matrix loading for relevant contexts only
  • Type safety: Removed unused imports (Iterable, Tuple), consistent Optional[List[Any]] types
  • Performance: Reduced unnecessary allocations for unknown context types
  • Configuration validation: Added comprehensive config parameter validation with safe ranges
  • Pool size control: Hard cap on payload pool size to prevent memory issues (pool_cap setting)
  • Final deduplication: Added post-blind-XSS deduplication to eliminate all duplicates
  • Security: Safe logging without exposing raw payloads or WAF markers
  • Payload safety: Protection against empty/oversized payloads in evasion techniques
  • Real success metrics: Accurate success_rate calculation based on filtered vs total candidates
  • Safe mode integration: Blind XSS disabled in safe_mode for production safety
  • Configurable weights: Customizable effectiveness scores for different payload sources
  • Code readability: Explicit list comprehensions instead of generator expressions

Next

  • Context Matrix integration into core engine
  • WAF bypass test-suite
  • ML-scoring pipeline
Assets 2
Loading