Lines 3734-3774markdown
3734 D005 C# vulnerabilities defect: parser written against synthetic
3735 output, never validated against real tool output. Fixed by
3736 matching the canonical `\): error \w+:` regex. Caught by adding
3737 the C# row to the new lint matrix; the row failed because the
3738 parser returned 0 despite exit code != 0 and visible violations
3739 in the output. (`src/languages/csharp.ts`, **D016**)
3743- **Cross-ecosystem matrix layer** (`test/integration/cross-ecosystem.test.ts`).
3744 New `BENCHMARK_LANGUAGES` table at the top of the file is the
3745 single source of truth for which languages participate and where
3746 each fixture's deliberate findings live. Each `describe('matrix —
3747 <report>')` block iterates the table to produce one uniform
3748 assertion per language — adding a new feature is one new
3749 optional field per row + one new `matrix —` describe; adding a
3750 6th language is one row append + one fixture dir + one CI install.
3751 No search-and-replace across describe blocks.
3753- **`matrix — secrets` (Phase 10i.0.1)** — 5 hardcoded fake AWS
3754 access keys (`AKIA1234567890ABCDEF` — patterned digits/letters
3755 that pass gitleaks' `aws-access-token` regex but fail real AWS
3756 validation and GitHub push protection). One per benchmark
3757 ecosystem. Asserts `dxkit vulnerabilities` surfaces a
3758 `SecretFinding` (category=secret, tool=gitleaks,
3759 rule=aws-access-token) for each.
3761- **`matrix — lint` (Phase 10i.0.2)** — 5 deliberate idiomatic
3762 linter violations (Python ruff F401 unused-import, Go gosimple
3763 S1002 bool-comparison, Rust clippy unused_variables, C#
3764 dotnet-format whitespace × 2). Asserts `dxkit quality` reports
3765 the expected linter and ≥1 lint finding. CI workflow now
3766 installs `ruff` (pipx), `golangci-lint` (curl install script),
3767 and `clippy` (rustup component) alongside the existing depVulns
3768 toolchains; `dotnet format` ships in the .NET 8 SDK.
3770- **`matrix — duplications` (Phase 10i.0.3)** — two near-identical
3771 helpers per fixture, sized comfortably above jscpd's
3772 `--min-lines 5 --min-tokens 50` defaults (initial pass had
3773 ~30-token bodies that fell below the threshold; widened on the
3774 way in). Asserts `metrics.duplication.cloneCount > 0`.