fix: add error handling for flag parsing, JSON marshaling and report validation

Author: CodeMonkeyCybersecurity

cmd/platform.go

@@ -42,9 +42,15 @@ var platformProgramsCmd = &cobra.Command{
 	Use:   "programs",
 	Short: "List available bug bounty programs",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		// P0-2: TODO: Fix silent error suppression - check flag parsing errors
-		platform, _ := cmd.Flags().GetString("platform")
-		output, _ := cmd.Flags().GetString("output")
+		// P0-2 FIX: Check flag parsing errors
+		platform, err := cmd.Flags().GetString("platform")
+		if err != nil {
+			return fmt.Errorf("invalid --platform flag: %w", err)
+		}
+		output, err := cmd.Flags().GetString("output")
+		if err != nil {
+			return fmt.Errorf("invalid --output flag: %w", err)
+		}
 
 		client, err := getPlatformClient(platform)
 		if err != nil {
@@ -60,8 +66,11 @@ var platformProgramsCmd = &cobra.Command{
 		}
 
 		if output == "json" {
-			// P0-3: TODO: Fix silent error suppression - check JSON marshaling errors
-			jsonData, _ := json.MarshalIndent(programs, "", "  ")
+			// P0-3 FIX: Check JSON marshaling errors
+			jsonData, err := json.MarshalIndent(programs, "", "  ")
+			if err != nil {
+				return fmt.Errorf("failed to marshal programs to JSON: %w", err)
+			}
 			fmt.Println(string(jsonData))
 		} else {
 			printPrograms(programs)
@@ -77,10 +86,19 @@ var platformSubmitCmd = &cobra.Command{
 	Args:  cobra.ExactArgs(1),
 	RunE: func(cmd *cobra.Command, args []string) error {
 		findingID := args[0]
-		// P0-2: TODO: Fix silent error suppression - check flag parsing errors
-		platform, _ := cmd.Flags().GetString("platform")
-		programHandle, _ := cmd.Flags().GetString("program")
-		dryRun, _ := cmd.Flags().GetBool("dry-run")
+		// P0-2 FIX: Check flag parsing errors
+		platform, err := cmd.Flags().GetString("platform")
+		if err != nil {
+			return fmt.Errorf("invalid --platform flag: %w", err)
+		}
+		programHandle, err := cmd.Flags().GetString("program")
+		if err != nil {
+			return fmt.Errorf("invalid --program flag: %w", err)
+		}
+		dryRun, err := cmd.Flags().GetBool("dry-run")
+		if err != nil {
+			return fmt.Errorf("invalid --dry-run flag: %w", err)
+		}
 
 		store := GetStore()
 		if store == nil {
@@ -112,7 +130,10 @@ var platformSubmitCmd = &cobra.Command{
 
 		if dryRun {
 			log.Info("DRY RUN - Report would be submitted:", "component", "platform")
-			reportJSON, _ := json.MarshalIndent(report, "", "  ")
+			reportJSON, err := json.MarshalIndent(report, "", "  ")
+			if err != nil {
+				return fmt.Errorf("failed to marshal report to JSON: %w", err)
+			}
 			fmt.Println(string(reportJSON))
 			return nil
 		}

pkg/auth/common/types.go

@@ -110,6 +110,17 @@ type Finding struct {
 	CreatedAt   time.Time  `json:"created_at"`
 }
 
+// TestResult represents the result of a single security test
+type TestResult struct {
+	Name        string    `json:"name"`
+	Protocol    AuthProtocol `json:"protocol"`
+	Vulnerable  bool      `json:"vulnerable"`
+	Severity    string    `json:"severity"`
+	Description string    `json:"description"`
+	Evidence    []Evidence `json:"evidence,omitempty"`
+	ExecutedAt  time.Time `json:"executed_at"`
+}
+
 // AuthReport represents the main authentication report
 type AuthReport struct {
 	Target          string                 `json:"target"`
@@ -118,6 +129,7 @@ type AuthReport struct {
 	Configuration   AuthConfiguration      `json:"configuration"`
 	Vulnerabilities []Vulnerability        `json:"vulnerabilities"`
 	AttackChains    []AttackChain          `json:"attack_chains"`
+	Tests           []TestResult           `json:"tests"` // Individual test results for audit trail
 	Summary         ReportSummary          `json:"summary"`
 	Protocols       map[string]interface{} `json:"protocols"`
 }

pkg/platforms/aws/client.go

@@ -69,16 +69,16 @@ func (c *Client) GetProgramByHandle(ctx context.Context, handle string) (*platfo
 
 // Submit submits a vulnerability report to AWS VRP via HackerOne
 func (c *Client) Submit(ctx context.Context, report *platforms.VulnerabilityReport) (*platforms.SubmissionResponse, error) {
-	// P0-4: TODO: Add validation call here
-	// if err := report.Validate(); err != nil {
-	//     return nil, fmt.Errorf("invalid report: %w", err)
-	// }
-
 	// Ensure the report is for the AWS program
 	if report.ProgramHandle == "" {
 		report.ProgramHandle = c.config.ProgramHandle
 	}
 
+	// P0-4 FIX: Validate report before submission
+	if err := report.Validate(); err != nil {
+		return nil, fmt.Errorf("invalid report: %w", err)
+	}
+
 	// Add AWS-specific context to the report
 	awsContext := fmt.Sprintf("\n\n---\n**AWS Service**: %s\n**Region**: %s\n**Account Type**: %s",
 		getServiceFromAsset(report.AssetURL),

pkg/platforms/azure/client.go

@@ -125,22 +125,26 @@ func (c *Client) Submit(ctx context.Context, report *platforms.VulnerabilityRepo
 	// For now, we return the formatted report
 	reportID := fmt.Sprintf("azure-%d", time.Now().Unix())
 
-	// P0-5: TODO: This should return Success: false since report is NOT actually submitted
-	// User must manually email the report. Currently misleading users that it's submitted.
+	// P0-5 FIX: Report is NOT automatically submitted - user must manually send email
+	// Success: false to indicate manual action required
 	return &platforms.SubmissionResponse{
-		Success:  true, // TODO: Change to false - report is not actually submitted!
+		Success:  false, // CRITICAL: Report is NOT submitted - user must manually email
 		ReportID: reportID,
 		ReportURL: "mailto:" + c.config.ReportingEmail + "?subject=" +
 			fmt.Sprintf("Azure Security Vulnerability: %s", report.Title) +
 			"&body=" + emailBody,
-		Status:      "pending_email", // TODO: Change to "pending_manual_email"
-		Message:     fmt.Sprintf("Report formatted for email submission to %s", c.config.ReportingEmail), // TODO: Add warning that manual action required
+		Status: "requires_manual_email", // User must click mailto link or copy email body
+		Message: fmt.Sprintf("⚠️  MANUAL ACTION REQUIRED: Report formatted but NOT submitted.\n"+
+			"Please click the mailto: link above or manually email the report to %s\n"+
+			"The email body has been formatted according to MSRC guidelines.",
+			c.config.ReportingEmail),
 		SubmittedAt: time.Now(),
 		PlatformData: map[string]interface{}{
 			"reporting_email": c.config.ReportingEmail,
 			"program_type":    c.config.ProgramType,
 			"severity":        severity,
 			"email_body":      emailBody,
+			"requires_manual_submission": true,
 		},
 	}, nil
 }

pkg/platforms/bugcrowd/client.go

@@ -135,10 +135,10 @@ func (c *Client) GetProgramByHandle(ctx context.Context, handle string) (*platfo
 
 // Submit submits a vulnerability report to Bugcrowd
 func (c *Client) Submit(ctx context.Context, report *platforms.VulnerabilityReport) (*platforms.SubmissionResponse, error) {
-	// P0-4: TODO: Add validation call here
-	// if err := report.Validate(); err != nil {
-	//     return nil, fmt.Errorf("invalid report: %w", err)
-	// }
+	// P0-4 FIX: Validate report before submission
+	if err := report.Validate(); err != nil {
+		return nil, fmt.Errorf("invalid report: %w", err)
+	}
 
 	// Map severity to Bugcrowd priority format (P1-P5)
 	mapping := platforms.GetSeverityMapping("bugcrowd")

pkg/platforms/hackerone/client.go

@@ -130,10 +130,10 @@ func (c *Client) GetProgramByHandle(ctx context.Context, handle string) (*platfo
 
 // Submit submits a vulnerability report to HackerOne
 func (c *Client) Submit(ctx context.Context, report *platforms.VulnerabilityReport) (*platforms.SubmissionResponse, error) {
-	// P0-4: TODO: Add validation call here
-	// if err := report.Validate(); err != nil {
-	//     return nil, fmt.Errorf("invalid report: %w", err)
-	// }
+	// P0-4 FIX: Validate report before submission
+	if err := report.Validate(); err != nil {
+		return nil, fmt.Errorf("invalid report: %w", err)
+	}
 
 	// Map severity to HackerOne format
 	mapping := platforms.GetSeverityMapping("hackerone")