update to latest version of security improvements

Author: netomi

configuration/application.yml

@@ -234,36 +234,41 @@ ovsx:
   scanning:
     enabled: true
 
-  similarity:
-    enabled: true
-    enforced: true
-    levenshtein-threshold: 0.2        # Min 20% name difference allowed
-    skip-verified-publishers: true    # Skip checks for verified publishers
-    check-against-verified-only: true # Compare only against verified extensions
-    exclude-owner-namespaces: true    # Skip checks against extensions in namespaces owned by the same publisher
-    new-extensions-only: false        # Skip checks for extension with existing versions, applies similarity checks only to new extensions
-
-  secret-scanning:
-    enabled: true
-    rules-path: 'classpath:scanning/secret-scanning-custom-rules.yaml'
-
-    auto-generate-rules: true
-    force-regenerate-rules: false
-    generated-rules-path: '/tmp/secret-scanning-rules-gitleaks.yaml'
+    # Shared archive limits for all scanning checks (secret detection, blocklist, etc.)
+    max-archive-size-bytes: 1073741824   # 1 GB total archive limit
+    max-single-file-bytes: 268435456     # 256 MB per-file limit
+    max-entry-count: 100000              # Max ZIP entries to process
+    blocklist-check:
+      enabled: true
+      enforced: false
 
-    # File & Archive Limits
-    max-file-size-bytes: 5242880              # 5 MB per file
-    max-entry-count: 50000                    # Max entries in archive
-    max-total-uncompressed-bytes: 104857600   # 100 MB total
-    max-findings: 200                         # Stop after N secrets
+    similarity:
+      enabled: true
+      enforced: false
+      similarity-threshold: 0.2            # Min 20% name difference allowed
+      skip-if-publisher-verified: false    # Do not skip checks for verified publishers
+      only-protect-verified-names: false
+      allow-similarity-to-own-names: true  # Skip checks against extensions in namespaces owned by the same publisher
+      only-check-new-extensions: true      # Skip checks for extension with existing versions, applies similarity checks only to new extensions
 
-    # Line Processing
-    inline-suppressions: 'secret-scanner:ignore,gitleaks:allow,nosecret,@suppress-secret'
-    max-line-length: 10000
-    long-line-no-space-threshold: 1000
-    keyword-context-chars: 100
-    log-allowlisted-value-preview-length: 10
+    secret-detection:
+      enabled: true
+      enforced: false
+      rules-path: 'classpath:scanning/secret-detection-custom-rules.yaml'
+      suppression-markers: 'secret-detector:ignore,gitleaks:allow,nosecret,@suppress-secret'
+      gitleaks:
+        auto-fetch: true
+        force-refresh: true
+        output-path: '/tmp/secret-detection-rules-gitleaks.yaml'
+        scheduled-refresh: true
+        refresh-cron: '0 0 3 * * *'  # Daily at 3 AM
+        skip-rule-ids: 'generic-api-key'  # Rule IDs that produce too many false positives
+      max-findings: 200
+      minified-line-threshold: 10000
+      long-line-no-space-threshold: 1000
+      regex-context-chars: 100
+      debug-preview-chars: 10
 
-    # Timeout & Performance
-    timeout-seconds: 5
-    timeout-check-every-n-lines: 100
+      # Timeout & Performance
+      timeout-seconds: 10
+      timeout-check-interval: 100

website/package.json

@@ -6,7 +6,7 @@
     "repository": "https://github.com/eclipse/open-vsx.org",
     "license": "EPL-2.0",
     "dependencies": {
-        "openvsx-webui": "npm:openvsx-webui-test@0.18.0-security.2"
+        "openvsx-webui": "npm:openvsx-webui-test@0.18.0-security.3"
     },
     "resolutions": {
         "qs": "^6.14.1"

website/yarn.lock

@@ -2435,7 +2435,7 @@ __metadata:
     "@types/react-router-dom": "npm:^5.3.3"
     css-loader: "npm:^6.8.1"
     express: "npm:^4.21.2"
-    openvsx-webui: "npm:openvsx-webui-test@0.18.0-security.2"
+    openvsx-webui: "npm:openvsx-webui-test@0.18.0-security.3"
     source-map-loader: "npm:^4.0.1"
     style-loader: "npm:^3.3.3"
     typescript: "npm:~5.1.6"
@@ -2454,9 +2454,9 @@ __metadata:
   languageName: node
   linkType: hard
 
-"openvsx-webui@npm:openvsx-webui-test@0.18.0-security.2":
-  version: 0.18.0-security.2
-  resolution: "openvsx-webui-test@npm:0.18.0-security.2"
+"openvsx-webui@npm:openvsx-webui-test@0.18.0-security.3":
+  version: 0.18.0-security.3
+  resolution: "openvsx-webui-test@npm:0.18.0-security.3"
   dependencies:
     "@emotion/react": "npm:^11.11.1"
     "@emotion/styled": "npm:^11.11.0"
@@ -2480,7 +2480,7 @@ __metadata:
     react-infinite-scroller: "npm:^1.2.6"
     react-router: "npm:^6.14.2"
     react-router-dom: "npm:^6.14.1"
-  checksum: 10/64e44619d6531390efa6b3cfeabf630b687bc245fe403c7e24f3664525d85dfb301cd5abf33a740d493430eec80200dafff72c04ff59dbb0343851fc737d35ea
+  checksum: 10/4f5d73f5c19b8cb2d7c8ac29f8fac3d189e03b1f08b345fa142e1415a1190e0f077a14e6fdf43979b054677747fa84d21809f9171347d7fcae2851174c4092b3
   languageName: node
   linkType: hard