fix: Address 4 Cursor Bugbot findings from PR #34

- hybrid_analyzer.py: Add enable_nuclei_templates and enable_zap_baseline
  to "at least one tool enabled" validation check
- hybrid_analyzer.py + hybrid/report.py: Add Nuclei/ZAP to enabled tools
  report so active scanners appear in output
- nuclei_template_scanner.py: Replace non-deterministic hash() with
  hashlib.md5 for stable finding IDs across runs (PYTHONHASHSEED)
- zap_baseline_scanner.py: Remove order-dependent _finding_counter from
  ID generation so same finding gets same ID regardless of discovery order

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: devatsecure

scripts/hybrid/report.py

@@ -62,6 +62,10 @@ def get_enabled_tools(flags: dict[str, Any]) -> list[str]:
         ai_client = flags.get("ai_client")
         provider = getattr(ai_client, "provider", "AI")
         tools.append(f"AI-Enrichment ({provider})")
+    if flags.get("enable_nuclei_templates"):
+        tools.append("Nuclei-Templates")
+    if flags.get("enable_zap_baseline"):
+        tools.append("ZAP-Baseline")
     if flags.get("enable_argus"):
         tools.append("Argus")
     if flags.get("enable_sandbox"):
@@ -103,11 +107,15 @@ def save_results(result: HybridScanResult, output_dir: str, target_path: str) ->
 
         # Print validation summary
         if not validation_report.overall_passed:
-            logger.warning(f"⚠️  QUALITY CHECK FAILED: {validation_report.failed_findings}/{validation_report.total_findings} findings below quality threshold")
+            logger.warning(
+                f"⚠️  QUALITY CHECK FAILED: {validation_report.failed_findings}/{validation_report.total_findings} findings below quality threshold"
+            )
             logger.warning(f"⚠️  See {validation_output} for details")
             logger.warning("⚠️  DO NOT submit this report to external repositories without fixing quality issues!")
         else:
-            logger.info(f"✅ Quality validation PASSED: All {validation_report.passed_findings} findings meet quality standards")
+            logger.info(
+                f"✅ Quality validation PASSED: All {validation_report.passed_findings} findings meet quality standards"
+            )
     except ImportError:
         logger.warning("⚠️  report_quality_validator not available - skipping quality check")
     except Exception as e:

scripts/hybrid_analyzer.py

@@ -575,13 +575,16 @@ def __init__(
             and not self.enable_runtime_security
             and not self.enable_regression_testing
             and not self.enable_ai_enrichment
+            and not self.enable_nuclei_templates
+            and not self.enable_zap_baseline
         ):
             raise ValueError(
                 "❌ ERROR: At least one tool must be enabled!\n"
                 "   Enable: --enable-semgrep, --enable-trivy, --enable-checkov, "
                 "--enable-api-security, --enable-dast, --enable-supply-chain, "
                 "--enable-fuzzing, --enable-threat-intel, --enable-remediation, "
-                "--enable-runtime-security, --enable-regression-testing, or --enable-ai-enrichment"
+                "--enable-runtime-security, --enable-regression-testing, "
+                "--enable-nuclei-templates, --enable-zap-baseline, or --enable-ai-enrichment"
             )
 
     def analyze(
@@ -1089,6 +1092,8 @@ def _get_enabled_tools(self) -> list[str]:
                 "enable_runtime_security": self.enable_runtime_security,
                 "enable_regression_testing": self.enable_regression_testing,
                 "enable_ai_enrichment": self.enable_ai_enrichment,
+                "enable_nuclei_templates": self.enable_nuclei_templates,
+                "enable_zap_baseline": self.enable_zap_baseline,
                 "ai_client": self.ai_client,
                 "enable_argus": self.enable_argus,
                 "enable_sandbox": self.enable_sandbox,

scripts/nuclei_template_scanner.py

@@ -566,7 +566,8 @@ def _parse_nuclei_output(self, output_lines: list[str]) -> list[dict]:
                 raw_cwe = classification.get("cwe-id", None)
                 cwe_id = (raw_cwe[0] if raw_cwe else None) if isinstance(raw_cwe, list) else raw_cwe
 
-                finding_id = _make_finding_id(template_id, matched_at, hash(stripped) & 0xFFFFFFFF)
+                content_hash = int(hashlib.md5(stripped.encode()).hexdigest()[:8], 16)
+                finding_id = _make_finding_id(template_id, matched_at, content_hash)
 
                 finding: dict = {
                     "finding_id": f"nuclei-live-{finding_id}",

scripts/zap_baseline_scanner.py

@@ -532,9 +532,8 @@ def _find_zap_binary(self) -> Optional[str]:
     # ------------------------------------------------------------------
 
     def _generate_finding_id(self, prefix: str, file_path: str, line: int) -> str:
-        """Generate a deterministic finding ID."""
-        self._finding_counter += 1
-        hash_input = f"{prefix}:{file_path}:{line}:{self._finding_counter}"
+        """Generate a deterministic finding ID from content, not discovery order."""
+        hash_input = f"{prefix}:{file_path}:{line}"
         short_hash = hashlib.sha256(hash_input.encode()).hexdigest()[:8]
         return f"ZAP-{prefix}-{short_hash}"