fix(scanner): downgrade clean risk score to degraded on incomplete coverage (MCP-2401)#669
Merged
Merged
Conversation
Deploying mcpproxy-docs with
|
| Latest commit: |
ccfa3dc
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://f598d1de.mcpproxy-docs.pages.dev |
| Branch Preview URL: | https://fix-mcp-2401-scan-coverage-d.mcpproxy-docs.pages.dev |
|
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
📦 Build ArtifactsWorkflow Run: View Run Available Artifacts
How to DownloadOption 1: GitHub Web UI (easiest)
Option 2: GitHub CLI gh run download 27501983628 --repo smart-mcp-proxy/mcpproxy-go
|
…verage The scan summary reported a 0/100 "clean" verdict even when part of the scanner fleet failed, so a user saw an all-clear while 40% of scanners never ran. Coverage was only surfaced as a separate WARNING block. Tie risk-score confidence to scanner coverage: - SecurityScanSummary / ScanSummary carry scanners_run/failed/total. - GetScanSummary computes coverage on the primary pass and downgrades a would-be "clean" verdict to a new "degraded" status when any scanner failed. "dangerous"/"warnings"/"failed" verdicts are left intact. - CLI report annotates the Risk Score line with "(degraded — N of M scanners did not run)". - Swagger + CLI docs updated. Related #MCP-2401
16d80ad to
ccfa3dc
Compare
There was a problem hiding this comment.
Claude review ACCEPT — rebased onto main (ccfa3dc), behavior unchanged (only additive test-func conflict resolved keeping both); scanner+contracts+cmd tests green.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The security scan summary reported a
0/100"clean" verdict even when part of the scanner fleet failed — a user saw an all-clear while up to 40% (2/5) of scanners never ran. Coverage was surfaced only as a separate WARNING block; the risk/score signal itself was never degraded, so a glance at the number was misleading.Fix
Tie risk-score confidence to scanner coverage and surface a degraded state:
SecurityScanSummary(contracts) /ScanSummary(scanner) now carryscanners_run/scanners_failed/scanners_total.GetScanSummarycomputes coverage over the primary (security) pass. A would-becleanverdict is downgraded to a newdegradedstatus whenscanners_failed > 0.dangerous/warnings/failedverdicts are left intact — they already signal risk, and missing coverage can only have hidden more, never less.failed(unchanged).printReportTableannotates the Risk Score line:Risk Score: 0/100 (degraded — 2 of 5 scanners did not run).Tests (TDD)
clean; now assertsdegraded).failedwhen all fail, no downgrade for findings-driven verdicts.go build ./...,go vet ./internal/server/, scanner/contracts/cmd suites, and golangci-lint v2 (CI config) — all green.Scope
Backend (score calc + contract) only. The FrontendEngineer UI badge for the new
degradedstatus is a separate lane per the issue.Related #MCP-2401