Merge pull request #292 from shivasurya/shiva/wordpress-guidance-2

shivasurya · web-flow · commit 8b5a4aee1e62 · 2025-09-30T13:50:46.000-04:00
feat: enhance security review guidelines with dataflow analysis and SSL bypass rules
diff --git a/extension/secureflow/packages/secureflow-cli/lib/prompts/common/security-review-cli.txt b/extension/secureflow/packages/secureflow-cli/lib/prompts/common/security-review-cli.txt
@@ -63,6 +63,12 @@ You are a highly experienced security engineer conducting a thorough code review
    - Use file request tool to request for files if needed for complete analysis iteratively.
    - Always start with list files tool to navigate through the code to understand the complete context of the vulnerability.
 
+7. If you find a security vulnerable pattern in code, try to map the path reachable to understand the complete context of the vulnerability.
+   - Use dataflow analysis to understand the complete context of the vulnerability.
+   - Use control flow analysis to understand the complete context of the vulnerability.
+   - With those overall information, try to map the path reachable to understand the complete context of the vulnerability.
+   - include those information in your report.
+
 Strictly don't report below category of vulnerabilities from Analysis:
    - Theoretical vulnerabilities without practical impact
    - Issues requiring unlikely preconditions
@@ -105,13 +111,13 @@ Each issue should have the following format strictly:
     <issue>
         <title>Issue title</title>
         <severity>Low|Medium|High|Critical</severity>
-        <description>Detailed description of the issue and include file name, path and line number</description>
+        <description>Detailed description of the issue and include file name, path and line number and additional context</description>
         <recommendation>How to fix the issue</recommendation>
     </issue>
     <issue>
         <title>Issue title</title>
         <severity>Low|Medium|High|Critical</severity>
-        <description>Detailed description of the issue and include file name, path and line number</description>
+        <description>Detailed description of the issue and include file name, path and line number and additional context</description>
         <recommendation>How to fix the issue</recommendation>
     </issue>
 </issues>
diff --git a/extension/secureflow/packages/secureflow-cli/lib/prompts/technologies/wordpress-plugins/wordpress.txt b/extension/secureflow/packages/secureflow-cli/lib/prompts/technologies/wordpress-plugins/wordpress.txt
@@ -7,3 +7,4 @@ Here are few tips on review code for Wordpress plugins for security vulnerabilit
 5. Verify all the calls within the method like security engineer like dataflow analysis before reporting any vulnerabilities.
 6. Always assume that administrator, editor, author or subscriber is not malicious and can't perform any action to trigger the vulnerability.
 7. Don't assume any default values that developer or any user who configures the plugin in insecure way.
+8. Ignore any vulnerabilities that are related to SSL bypass or any other vulnerabilities that are related to SSL.
