You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+40Lines changed: 40 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,46 @@ All notable changes to ghostscan are documented here.
4
4
5
5
---
6
6
7
+
## v0.4.0 - 2026-05-08
8
+
9
+
### New Features
10
+
11
+
-**Context-aware severity classification** - every finding is now assigned a severity (`LOW`, `MEDIUM`, `HIGH`, or `CRITICAL`) based on five inputs: sequence length, file shape (`code_like`/`data_like`/`prose_like`), file-role hints, finding region context, and decoder proximity. Bidi controls stay `HIGH` regardless of context; long invisible runs and payload correlations reach `CRITICAL`.
12
+
-**Public engine API** - the new `engine` package exposes `ScanFile`, `ScanBytes`, `ScanString`, and their `Detailed` variants so external Go projects can consume structured findings without invoking the CLI. Includes `Options` for `DisableBinaryCheck` and `DisableContext` modes, plus `SortFindings` for deterministic output ordering.
13
+
-**File-role hints** - conservative path and filename hints classify files as `locale_data`, `test_fixture`, or `build_release`. Low-signal invisible findings in benign test fixture contexts are suppressed, while bidi controls, payloads, correlations, long runs, and build or release contexts are never softened.
14
+
-**BOM suppression** - `U+FEFF` at byte offset 0 is recognized as a standard file BOM and no longer reported.
15
+
16
+
### Changes
17
+
18
+
-**`finding` package promoted to root** - `Finding`, `Severity`, `LineDistance`, and sorting utilities moved from `internal/finding` to the top-level `finding` package. External consumers can import this package directly without pulling in the engine.
19
+
-**Report suppression extracted** - finding suppression logic moved from `human.go` into a dedicated `suppress.go` module for clarity and reuse.
20
+
-**Observation lookup optimized** - replaced O(n) linear scan with map-based index lookup for observation-to-finding correlation.
21
+
-**`isTokenRune` renamed to `isIdentRune`** - naming now reflects its purpose more clearly.
22
+
-**Missing rule categories added to JSON output** - JSON reports now include rule categories that were previously omitted.
23
+
-**Decoder proximity refactored** - `hasNearbyDecoderMarker` extracted as a standalone helper, shared between classification and correlation logic.
24
+
-**`lineDistance` consolidated** - duplicate implementations unified into `finding.LineDistance`.
25
+
26
+
### Documentation
27
+
28
+
- README updated with reusable engine usage example, severity level tables, per-rule severity behavior, and low-signal invisible handling documentation.
29
+
- Added doc comments to all exported engine types and methods.
30
+
31
+
### Tests
32
+
33
+
- Added test coverage for severity classification across file shapes, region types, sequence lengths, and decoder proximity.
34
+
- Added public API tests for `ScanFile`, `ScanBytes`, `ScanString`, and `ScanBytesDetailed`.
35
+
- Added tests for file-role hint classification and low-signal suppression guards.
36
+
37
+
### Maintenance
38
+
39
+
- Bumped Go from `1.26.2` to `1.26.3`.
40
+
- Bumped `goreleaser/goreleaser-action` from `7.0.0` to `7.2.1`.
41
+
- Bumped `zerolog` to `v1.35.1`.
42
+
- Bumped `go-isatty` indirect dependency to `0.0.22`.
43
+
- Bumped `golang.org/x/sys` indirect dependency from `v0.43.0` to `v0.44.0`.
0 commit comments