Skip to content

v0.3.15 — prismjs misleading remediation fix + SOFT collapse

Choose a tag to compare

@golab-arch golab-arch released this 30 May 22:13

SYNAPTIC Sentinel v0.3.15

🎯 prismjs misleading remediation fix (DG-115 A + DG-115.1 A G7). Closes the 🚨 prismjs Known Issue declared in v0.3.14 release notes. SCA findings whose vulnerable copy is a transitive nested-pinned dep (e.g. prismjs@1.27.0 nested under refractor@3.6.0) now receive an override directive (npm overrides / yarn resolutions / pnpm.overrides) — a top-level bump alone does NOT honor the parent's pin and the sidebar now surfaces this.

What changed

  • DG-115 A — overrideDirective for transitive nested-pinned SCA. Trivy v0.70.0 already exposes Result.Packages[] with the full dep graph + PkgIdentifier.UID 1:1 matching; the normalizer now consumes it. Each Finding gains sca.dependencyContext { directness, pinnedBy, hasSiblingFixedCopy }. Each FindingGroup with at least one indirect finding + known package manager + known fix version gains remediation.overrideDirective { manager, packageName, versionRange, snippet, hasSiblingFixedCopy, pinnedBy[] }. The sidebar renders the directive as a dominant block above the children, with a Copy button (clipboard API + getSelection().selectAllChildren fallback) and cites the pinner in the risk caveat.
  • DG-115.1 A G7 — STRONG / SOFT visual hierarchy (webview-only refinement). STRONG (hasSiblingFixedCopy: true, e.g. prismjs) stays prominently expanded red. SOFT (hasSiblingFixedCopy: false, ~8 findings per scan: protobufjs / node-forge / fast-uri / uuid / etc.) is now collapsed by default inside a <details> with a one-liner summary "Transitive (via <pinnedBy[0]>) — plain bump usually works; override if it persists (<manager>)". The body (caveat + plain bump line + snippet + Copy + risk caveat) is revealed on expand. Data of the tomo is unchanged.

Known Issues retired

The 🚨 prismjs warning from v0.3.14 is retired. Override directives are now emitted for any transitive nested-pinned SCA finding.

Known Issues still open

  • Parent/child SCA correlation (e.g. @protobufjs/utf8 finding listed as a separate group from its parent protobufjs). Deferred — tracked as DG-future-SCA-dep-graph.
  • Reachability framework-level (config-gated CVEs like fastify trustProxy). Deferred — the new sca.dependencyContext + sca.packageManager fields are the data foundation for it.
  • Inconclusive-but-well-reasoned SAST taint verdicts — unchanged, success by design for the class of finding where the sink's implementation lives in another file.

Trivy DependsOn caveat (known data limit)

Trivy Result.Packages[*].DependsOn lists resolved dep versions, NOT the constraint ranges (^ vs ~ vs exact) of the pinner. SENTINEL cannot decide automatically whether a plain top-level bump satisfies the pinner's constraint; the STRONG / SOFT split uses hasSiblingFixedCopy (binary: is there a fixed copy top-level?) as a safe over-approximation.

Verification

  • Empirical against the SYNAPTIC_SAAS web lockfile (pnpm-lock.yaml with react-syntax-highlighter@15.6.6 → refractor@3.6.0 → prismjs@1.27.0 chain + prismjs@1.30.0 top-level).
  • Baseline-5 (step5.vsix) confirmed overrideDirective + dependencyContext for the prismjs case.
  • Baseline-5.1 (step5b.vsix) confirmed STRONG/SOFT visual hierarchy + tomo data byte-identical to step5.
  • pnpm verify VERDE: 60 test files / 707 tests + manifest gate + activation gate (9 commands + 15 subscriptions).

Schema changes (additive, backward-compatible)

  • TrivyResultSchema: Type?: string, Packages?: TrivyPackage[].
  • ScaMetadataSchema: packageManager?: string, dependencyContext?: DependencyContext.
  • RemediationTargetSchema: overrideDirective?: OverrideDirective.
  • New dependency: semver in @synaptic-sentinel/scouts.

Installation

vsce publish to the VS Code Marketplace is not part of this release — the Marketplace listing is on v0.3.3 and 12 GitHub-only releases (v0.3.4 → v0.3.15) accumulate user-side publishing operations. To install in VS Code:

```
code --install-extension synaptic-sentinel-0.3.15.vsix
```

…or use Install from VSIX... in the Extensions view.

Artifact

  • synaptic-sentinel-0.3.15.vsix — 1838 files / 3.19 MB / 3,346,724 bytes
  • SHA-256: `6e435c0b5a7ae6d43ef6b7a69b9911a00e2694edac92ce2cd42c6c75dd9e89b7`