Skip to content

fix(scanner): always surface cisco static-analysis coverage caveat (MCP-2399)#663

Merged
Dumbris merged 1 commit into
mainfrom
fix/mcp-2399-cisco-coverage-caveat
Jun 14, 2026
Merged

fix(scanner): always surface cisco static-analysis coverage caveat (MCP-2399)#663
Dumbris merged 1 commit into
mainfrom
fix/mcp-2399-cisco-coverage-caveat

Conversation

@Dumbris

@Dumbris Dumbris commented Jun 14, 2026

Copy link
Copy Markdown
Member

Summary

Resolves the residual coverage-honesty concern raised in MCP-2399 / gh #383: the cisco-mcp-scanner returns blanket is_safe:true/SAFE for URL targets and makes no network request, which risks being over-trusted as live coverage.

Forensic context (what was already true)

The residual gap this PR fixes

The only caveat ("no network request was made") was emitted solely when upstream stdout happened to contain the deepwiki placeholder. If a future cisco-ai-mcp-scanner release changes/drops that placeholder, the caveat silently vanishes while the static-only limitation remains.

Change

  • Prepend a permanent coverage caveat to every Cisco execution log, independent of the deepwiki string, leading the output so it survives MaxLogBytes truncation. The caveat states plainly: static analysis of tool definitions only, no live endpoint probe, no network request — so is_safe reflects the tool definitions, not runtime behavior.
  • Still strip the deepwiki placeholder line when present (unchanged behavior).
  • Docs: reframe the docs/features/security-scanner-plugins.md note from "cosmetic" to an explicit coverage caveat.

This is backend + docs only (internal/ + docs/), no frontend/API surface change. The displayed stdout is log-viewing only; findings are parsed from the report bytes, so the annotation does not affect parsed results (existing TestSetScannerLogs_* cover this).

Tests (TDD)

  • New: TestSanitizeCiscoStdout_SurfacesCoverageCaveatWithoutDeepwiki, TestSanitizeCiscoStdout_CaveatAlwaysLeadsOutput
  • Updated the obsolete no-op test to the new contract.
  • All 7 sanitize/log tests pass; go test ./internal/security/... -race green; golangci-lint (v2 CI config) 0 issues; go build ./cmd/mcpproxy clean.

Disposition for gh #383

Already CLOSED (cosmetic fix shipped in #528). This PR closes out the broader coverage-caveat ask from MCP-2399.

Related #383

@Dumbris
fix(scanner): always surface cisco static-analysis coverage caveat
0ba6236 
The bundled cisco-mcp-scanner runs 'static --tools tools.json': it analyzes
the exported tool definitions with YARA + readiness rules and never probes the
live server endpoint or makes a network request. An is_safe/SAFE result therefore
reflects the tool definitions, not the server's runtime behavior — so a clean
Cisco result for a remote/URL server must not be over-trusted as live coverage.

Previously the only caveat ('no network request was made') was emitted by
sanitizeCiscoStdout solely when the upstream output happened to contain the
hardcoded deepwiki placeholder line. If a future cisco-ai-mcp-scanner release
changes or drops that placeholder, the caveat would silently vanish while the
static-only limitation remains.

Prepend a permanent coverage caveat to every Cisco execution log, independent
of the deepwiki string, leading the output so it survives MaxLogBytes truncation.
Still strip the deepwiki placeholder line when present. Update docs to frame the
limitation as a coverage caveat rather than a purely cosmetic note.

Resolves the residual coverage-honesty concern from gh #383 (cosmetic leak
already fixed in #528).

Related #383
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 14, 2026

Copy link
Copy Markdown

Deploying mcpproxy-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 0ba6236
Status: ✅  Deploy successful!
Preview URL: https://182bfd9e.mcpproxy-docs.pages.dev
Branch Preview URL: https://fix-mcp-2399-cisco-coverage.mcpproxy-docs.pages.dev

View logs

@codecov-commenter

codecov-commenter commented Jun 14, 2026

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

mcpproxy-gatekeeper[bot]
mcpproxy-gatekeeper Bot approved these changes Jun 14, 2026
View reviewed changes

@mcpproxy-gatekeeper mcpproxy-gatekeeper Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved via Claude Code review (Codex out): cisco coverage caveat (MCP-2399/#383). Reviewer verified fix + tests + CI green; VERDICT ACCEPT.

@Dumbris Dumbris enabled auto-merge (squash) June 14, 2026 14:56
@github-actions

github-actions Bot commented Jun 14, 2026

Copy link
Copy Markdown

📦 Build Artifacts

Workflow Run: View Run
Branch: fix/mcp-2399-cisco-coverage-caveat

Available Artifacts

  • archive-darwin-amd64 (28 MB)
  • archive-darwin-arm64 (25 MB)
  • archive-linux-amd64 (16 MB)
  • archive-linux-arm64 (14 MB)
  • archive-windows-amd64 (28 MB)
  • archive-windows-arm64 (25 MB)
  • frontend-dist-pr (0 MB)
  • installer-dmg-darwin-amd64 (21 MB)
  • installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

  1. Go to the workflow run page linked above
  2. Scroll to the bottom "Artifacts" section
  3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 27501576546 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

@Dumbris Dumbris merged commit 7553b44 into main Jun 14, 2026
38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcpproxy-gatekeeper mcpproxy-gatekeeper[bot] mcpproxy-gatekeeper[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Dumbris @codecov-commenter