Add privacy violations to the vulnerabilities taxonomy #47
Description
The security extension should be able to detect relevant privacy violations.
The current CUJs being prioritized:
P0: CUJ-1: Identify and remove data leaks to log files
A developer is writing code that logs a user's IP address. The Gemini CLI extension acts as a vigilant assistant, instantly flagging such code within the developer's workflow. It provides AI-generated fixes—for example, replacing the IP address with a salted hash or redacting it completely—that can be applied with a single click, ensuring data privacy is maintained without interrupting the developer's flow.
P0: CUJ-2: Identify sensitive flows to 3Ps
The CLI extension proactively identifies and alerts developers when sensitive data types (such as SSNs, telephone numbers, or precise location information) are being transmitted to third-party services.
There are some related nodes in our current taxonomy and we will run benchmarks to decide how to expand/split those nodes to cover specific privacy violations:
Logging of Sensitive Information (CWE-200): Analyze for the logging of sensitive information. Scan the code for logging statements that might write passwords, PII, API keys, or session tokens to application or system logs.
PII Handling Violations: Analyze how the application handles Personally Identifiable Information (PII). Look for improper storage (e.g., unencrypted), insecure transmission, or any use that may violate data privacy regulations.