You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
T020: risk-score aggregation now treats independent signals on a tool as
additive instead of collapsing agreement. The deterministic scanner emits one
ScanFinding per tool whose Signals list every check that fired; CalculateRiskScore
weights each (deduplicated) finding by its distinct-signal count, so a tool
flagged by several checks scores higher than one flagged by a single check
(FR-006, SC-007). Legacy/cross-scanner findings carry no signals and weigh 1, so
existing scoring and the same-rule+location de-duplication are unchanged.
T021: surface confidence + signals in the CLI report (printFindingsList renders
"Confidence:" and "Signals:" lines) and confirm they serialize through the REST
aggregated scan report. Docs note added under security-commands.md.
Tests: consensus-raises-score + cross-scanner-dedup-retained scoring tests, CLI
render + absent-field tests, report-level serialization test.
Related #MCP-3578
combined confidence) and `signals` (the independent check IDs that fired, e.g.
504
+
`unicode.hidden`, `directive.imperative`). When several independent checks
505
+
agree on one tool, that agreement **adds** to the composite `risk_score`
506
+
rather than being collapsed — the table report renders these as `Confidence:`
507
+
and `Signals:` lines under the finding.
502
508
-`reports` — per-scanner raw results (also includes SARIF when `?include_sarif=true` is passed to the REST endpoint)
503
509
-`scanner_statuses` — per-scanner execution records, each with `scanner_id`, `status`, `started_at`, `completed_at`, `duration_ms` (wall-clock execution time in milliseconds), `findings_count`, and `error`
504
510
-`scan_context` — source method, source path, scanned file list
Copy file name to clipboardExpand all lines: specs/076-deterministic-tool-scanner/tasks.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -85,8 +85,8 @@ Single Go module. New package `internal/security/detect/` (engine + `checks/`);
85
85
86
86
**Independent test**: a multi-signal tool yields a finding listing each check, carrying confidence, with severity rising by signal count.
87
87
88
-
-[] T020 [US4] Update the risk-score aggregation in `internal/security/scanner/` (types.go / sarif.go scoring) so independent signals on a tool ADD to the score rather than dedup by `(rule_id+location)`; write a scoring test proving consensus raises the score (FR-006, SC-007).
89
-
-[] T021 [P][US4] Surface `confidence` + `signals` in the CLI report (`cmd/mcpproxy/security_cmd.go` printReportTable) and confirm they serialize in the REST scan report; add/update the report-rendering test.
88
+
-[x] T020 [US4] Update the risk-score aggregation in `internal/security/scanner/` (types.go / sarif.go scoring) so independent signals on a tool ADD to the score rather than dedup by `(rule_id+location)`; write a scoring test proving consensus raises the score (FR-006, SC-007).
89
+
-[x] T021 [P][US4] Surface `confidence` + `signals` in the CLI report (`cmd/mcpproxy/security_cmd.go` printReportTable) and confirm they serialize in the REST scan report; add/update the report-rendering test.
90
90
91
91
**Checkpoint**: operator can see why a tool was flagged and how strongly.
0 commit comments