Lines 3526-3566markdown
3526 D005 C# vulnerabilities defect: parser written against synthetic
3527 output, never validated against real tool output. Fixed by
3528 matching the canonical `\): error \w+:` regex. Caught by adding
3529 the C# row to the new lint matrix; the row failed because the
3530 parser returned 0 despite exit code != 0 and visible violations
3531 in the output. (`src/languages/csharp.ts`, **D016**)
3535- **Cross-ecosystem matrix layer** (`test/integration/cross-ecosystem.test.ts`).
3536 New `BENCHMARK_LANGUAGES` table at the top of the file is the
3537 single source of truth for which languages participate and where
3538 each fixture's deliberate findings live. Each `describe('matrix —
3539 <report>')` block iterates the table to produce one uniform
3540 assertion per language — adding a new feature is one new
3541 optional field per row + one new `matrix —` describe; adding a
3542 6th language is one row append + one fixture dir + one CI install.
3543 No search-and-replace across describe blocks.
3545- **`matrix — secrets` (Phase 10i.0.1)** — 5 hardcoded fake AWS
3546 access keys (`AKIA1234567890ABCDEF` — patterned digits/letters
3547 that pass gitleaks' `aws-access-token` regex but fail real AWS
3548 validation and GitHub push protection). One per benchmark
3549 ecosystem. Asserts `dxkit vulnerabilities` surfaces a
3550 `SecretFinding` (category=secret, tool=gitleaks,
3551 rule=aws-access-token) for each.
3553- **`matrix — lint` (Phase 10i.0.2)** — 5 deliberate idiomatic
3554 linter violations (Python ruff F401 unused-import, Go gosimple
3555 S1002 bool-comparison, Rust clippy unused_variables, C#
3556 dotnet-format whitespace × 2). Asserts `dxkit quality` reports
3557 the expected linter and ≥1 lint finding. CI workflow now
3558 installs `ruff` (pipx), `golangci-lint` (curl install script),
3559 and `clippy` (rustup component) alongside the existing depVulns
3560 toolchains; `dotnet format` ships in the .NET 8 SDK.
3562- **`matrix — duplications` (Phase 10i.0.3)** — two near-identical
3563 helpers per fixture, sized comfortably above jscpd's
3564 `--min-lines 5 --min-tokens 50` defaults (initial pass had
3565 ~30-token bodies that fell below the threshold; widened on the
3566 way in). Asserts `metrics.duplication.cloneCount > 0`.