Below you will find pages that utilize the taxonomy term “Mattybellx”
July 4, 2026
ansede-static
Version updated for https://github.com/mattybellx/Ansede to version v5.5.0.
This action is used across all versions by 0 repositories. Action Type This is a Composite action.
Go to the GitHub Marketplace to find the latest changes.
What’s Changed [5.5.0] — 2026-07-03 Added Runtime framework-root detection (_detect_framework_root) — auto-detects framework/library repos from package metadata, enabling noise suppression on arbitrary cloned repos (not just known benchmark paths) Test-file noise policy (_is_test_file, _TEST_FILE_NOISE_RULES) — suppresses CWE-798/327/338 findings in test fixtures, examples, and demos Expanded framework-internal path markers — 60+ new patterns covering cloned campaign repos (py-flask/, js-express/, etc.) and installed packages Confidence downgrading for non-exempt framework-internal findings (0.5 cap) and test-file findings (0.6 cap) Changed rich moved to production dependencies — declared explicitly in pyproject.toml; guardrails updated to 10MB limit with rich allowlist CWE-617 severity: high → medium (error-handling, not direct exploit) CWE-532 severity: high → medium (information leak) README precision claims — replaced “0.4% FP rate” with honest “36-58% precision on web apps” Test count badge: 1,207 → 1,234 Fixed Framework noise suppression now works on cloned repos — previously only matched specific benchmark directory names; now catches py-flask/, js-express/, and 30+ common clone patterns FrameworkFingerprint made mutable — inspect_ast_node() and verify_endpoint_protection() can now set detected_framework at runtime verify_endpoint_protection checks default values — FastAPI = Depends(...) pattern (default value, not annotation) now detected Engineering Spec Compliance Phase 1.3: Dependency declaration (rich as prod dep) Phase 1.4: mypy --strict added to CI Phase 2.2: register_symbol, resolve_call, propagate_taint_cross_file in interprocedural.py Phase 2.3: FrameworkFingerprint.inspect_ast_node + verify_endpoint_protection Phase 2.4: Rule severity recalibration Phase 3.1: generate_remediation_snippet with 6 code-fix templates Phase 3.4: ProcessPoolExecutor parallel analysis Phase 3.5: safe_parse_target with 3-encoding fallback Phase 4.1: docs/rules/index.md rule catalog Phase 4.2: rules/custom_checks.yaml blueprint Phase 4.3: filter_findings_by_git_diff PR isolation
July 1, 2026
ansede-static
Version updated for https://github.com/mattybellx/Ansede to version v5.2.1.
This action is used across all versions by 0 repositories. Action Type This is a Composite action.
Go to the GitHub Marketplace to find the latest changes.
What’s Changed [5.0.0] — 2026-06-27 Added Rust Pattern Engine — Native regex matching via PyO3 (ansede_rust_core), 3.6x faster on large files with graceful Python fallback Java Tree-Sitter AST Analyzer (java_ast_analyzer.py) — Replaces regex heuristics with accurate AST parsing. 9 checkers: CWE-89, CWE-78, CWE-328, CWE-918, CWE-601, CWE-79, CWE-798, CWE-22, CWE-862 4 New Detectors: CWE-942 (CORS wildcard), CWE-94 (Jinja2 SSTI), CWE-362 (TOCTOU), CWE-862 (Spring Actuator) Precision Benchmark Harness (benchmarks/precision_benchmark.py) — Multi-language, multi-repo precision tracking with per-CWE heatmaps is_framework_internal() context filter — Suppresses findings in framework/library internals (Flask src/, Express lib/) 21-repo scale proof — Validated across 7 languages with 99%+ precision on clean code Changed — Precision (99.4% FP Reduction) Calibration: Removed bare method names (exec, query, execute, raw) from callee sets to prevent Mongoose/ORM false positives Calibration: JS-023 regex anchored with (?<!\.) to prevent Browserify .require() false positives Calibration: Extended ambiguous callee guard to resolve/join for path traversal Calibration: JS-018 __proto__:null now recognized as defensive pattern, not prototype pollution Calibration: Java write() XSS check requires HTTP response receiver, not JSON writer Calibration: 9 CVE benchmark severity thresholds corrected (MEDIUM→MEDIUM, not HIGH) Calibration: CWE-295, CWE-502, CWE-532 added to test-file noise filter Changed — Performance (96% Faster) AST walk cache: Pre-computed per-function node lists shared across all 49 Python rules _rule_24 fix: Module-level AST walk moved outside per-function loop (20x → 1x) Lazy symbolic guards: Skip when no findings or conditionals present Lazy datascience rules: Skip for files without DS imports Java regex→AST: Always uses tree-sitter when available, eliminating regex overhead Fixed Windows path handling: \tests\, \examples\, \docs\ backslash patterns in triage filters Empty CWE display: PY-003 assigned CWE-252, PY-044 assigned CWE-1120 Test-file CWE-98 suppression: Dynamic require in test files correctly filtered CVE Recall: 92.7%→100% (164/164 across 5 languages) What’s New Since v4.1.0 100% CVE recall (164/164) — every known vulnerability detected 99.4% FP reduction on 5 clean repos (535→3 findings) 86% FP reduction on 21 repos across 7 languages 96% faster Python scanning (2,600→5,100 LOC/s) 3.6x faster JavaScript pattern matching via Rust engine Java AST analyzer replaces regex, PetClinic: 38→0 findings