@clear-capabilities/agentic-security-scanner 0.74.0

package/src/sast/mass-assignment.js

@@ -0,0 +1,101 @@
+import { blankComments } from './_comment-strip.js';
+// Mass assignment / over-posting detector.
+//
+// The classic shape: developer wires the entire request body into an ORM
+// create/update call, allowing the client to set fields the route handler
+// never intended (is_admin, role, balance, etc.).
+//
+// Languages covered:
+//   - JS/TS Express + Mongoose/Sequelize/Prisma/TypeORM
+//   - Ruby on Rails ActiveRecord
+//   - Python Django ORM / Flask-SQLAlchemy
+//   - Java Spring Data
+//   - Go GORM
+//
+// Heuristic per-language: spread/splat of a request-body shape directly into
+// a constructor, create(), update(), .save(), .set(), or Object.assign on a
+// model. Whitelisting (allowed-fields pick) is the canonical fix.
+
+const ALLOW_LIST_HINTS = /(?:pick|allowedFields|permit|allowed_params|whitelist|strong_params|FILTER_FIELDS|select_for|only:)/;
+
+const JS_PATTERNS = [
+  // Object.assign(user, req.body)
+  /Object\.assign\s*\(\s*(\w+)\s*,\s*(req|request)\s*\.\s*(body|params|query)\b/g,
+  // new User({ ...req.body })  or  User.create({ ...req.body })
+  /(?:new\s+([A-Z]\w+)\s*\(\s*\{[^}]*\.\.\.\s*(?:req|request)\s*\.\s*(?:body|params|query))/g,
+  // User.create(req.body)  ·  Model.update(req.body, …)
+  /\b([A-Z]\w+)\s*\.\s*(?:create|update|build|save)\s*\(\s*(?:req|request)\s*\.\s*(?:body|params|query)\s*[,)]/g,
+  // prisma.user.update({ data: req.body })
+  /\.\s*(?:create|update|upsert)\s*\(\s*\{[^}]*data\s*:\s*(?:req|request)\s*\.\s*(?:body|params|query)/g,
+];
+
+const PY_PATTERNS = [
+  // Model.objects.create(**request.POST) / **request.data / **request.json
+  /\b([A-Z]\w+)\s*(?:\.objects)?\s*\.\s*(?:create|update|filter\([^)]*\)\.update)\s*\(\s*\*\*\s*request\s*\.\s*(?:POST|data|json|form)/g,
+  // serializer.save(**request.data)
+  /\.save\s*\(\s*\*\*\s*request\s*\.\s*(?:data|json|POST|form)/g,
+  // setattr(obj, k, v) loop over request.data without allow-list
+  /for\s+\w+\s*,\s*\w+\s+in\s+request\s*\.\s*(?:data|json|POST|form)\s*\.\s*items\s*\([^)]*\)\s*:\s*\n\s*setattr/g,
+];
+
+const RB_PATTERNS = [
+  // User.create(params)  ·  user.update(params)
+  /\b([A-Z]\w+)\s*\.\s*(?:create|update|new)\s*\(\s*params\s*[,)]/g,
+  // user.assign_attributes(params)  ·  user.attributes = params
+  /\.(?:assign_attributes|attributes\s*=)\s*\(?\s*params\s*[,)]?/g,
+];
+
+const GO_PATTERNS = [
+  // db.Model(&user).Updates(input)  where input is fully user-controlled
+  /\bdb\s*\.\s*(?:Model|Updates|Create)\s*\([^)]*&?\s*(\w+)\s*\)/g,
+];
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+function pickPatterns(fp) {
+  if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) return { lang: 'js', patterns: JS_PATTERNS };
+  if (/\.py$/i.test(fp)) return { lang: 'py', patterns: PY_PATTERNS };
+  if (/\.rb$/i.test(fp)) return { lang: 'rb', patterns: RB_PATTERNS };
+  if (/\.go$/i.test(fp)) return { lang: 'go', patterns: GO_PATTERNS };
+  return null;
+}
+
+export function scanMassAssignment(fp, raw) {
+  if (!raw || raw.length > 500_000) return [];
+  const sel = pickPatterns(fp);
+  if (!sel) return [];
+  const findings = [];
+  const seen = new Set();
+  const code = blankComments(raw, sel.lang === 'py' ? 'py' : undefined);
+  // Skip files that look like they use an allow-list — strong signal of safety.
+  if (ALLOW_LIST_HINTS.test(code.slice(0, 4000))) {
+    // not a hard skip: still scan but downgrade
+  }
+  for (const re of sel.patterns) {
+    const r = new RegExp(re.source, re.flags);
+    let m;
+    while ((m = r.exec(code))) {
+      const line = lineOf(raw, m.index);
+      const id = `mass-assignment:${fp}:${line}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      // Look ±5 lines for an allow-list signal — if present, downgrade.
+      const lines = raw.split('\n');
+      const window = lines.slice(Math.max(0, line - 6), line + 5).join(' ');
+      const hasAllowList = ALLOW_LIST_HINTS.test(window);
+      findings.push({
+        id,
+        file: fp, line,
+        vuln: 'Mass Assignment: Unfiltered request body into model write',
+        severity: hasAllowList ? 'low' : 'high',
+        cwe: 'CWE-915',
+        stride: 'Tampering',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation: 'Explicitly allow-list the fields a client may set, instead of spreading the whole request body into the model write. Express: `pick(req.body, ["name", "email"])` (lodash) before `.create()`. Rails: `params.require(:user).permit(:name, :email)`. Django: a `ModelForm` / `Serializer` with explicit fields. Mass-assigning the whole body lets a client elevate privileges by adding `is_admin: true` to the JSON.',
+        parser: 'MASS-ASSIGN',
+        confidence: hasAllowList ? 0.40 : 0.85,
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/mcp-audit.js

@@ -0,0 +1,242 @@
+// MCP / Agent tool security audit.
+//
+// Scans MCP server config files (claude_desktop_config.json, *.mcp.json, mcp.json,
+// .claude/mcp.json) and tool-definition source for the canonical agent-host
+// risks:
+//   - Untrusted server install vector  (curl|sh, http://, unpinned npx)
+//   - Over-scoped filesystem grant      (root, $HOME, /, *)
+//   - Hardcoded credential in env       (sk-…, github_pat_…, AKIA…, ghp_…)
+//   - Prompt injection in description   (instruction overrides in tool descriptions)
+//   - Dangerous tool capability         (shell/exec/eval/sql exposed to model)
+//   - Unrestricted network passthrough  (proxy tools without allow-list)
+//
+// F1 strategy:
+//   Recall    — broad config-file matching across config name variants.
+//   Precision — fire only when one of the patterns above is concretely present
+//               in a JSON config or in a tool definition with description+name.
+
+const _MCP_FILE_RE = /(?:^|[\\/])(?:claude_desktop_config\.json|\.?mcp\.json|[^/\\]+\.mcp\.json|mcp_servers\.json)$/i;
+const _NONPROD_RE = /(?:^|[\\/])(?:tests?|examples?|fixtures?|node_modules|docs?)[\\/]/i;
+
+// Hardcoded credential shapes commonly leaked in MCP env: blocks
+const _HARDCODED_CRED_RE = [
+  /\b(?:sk-[A-Za-z0-9]{20,})\b/,                  // OpenAI / Anthropic
+  /\b(?:sk-ant-[A-Za-z0-9_-]{20,})\b/,             // Anthropic
+  /\b(?:ghp_[A-Za-z0-9]{36})\b/,                   // GitHub PAT
+  /\b(?:github_pat_[A-Za-z0-9_]{20,})\b/,          // GitHub fine-grained PAT
+  /\b(?:gho_[A-Za-z0-9]{36})\b/,                   // GitHub OAuth
+  /\bAKIA[0-9A-Z]{16}\b/,                          // AWS access key id
+  /\b(?:xox[abprs]-[A-Za-z0-9-]{10,})\b/,          // Slack
+  /\b(?:gsk_[A-Za-z0-9]{30,})\b/,                  // Groq
+];
+
+// Description fields that try to inject instructions into the agent
+const _PROMPT_INJECTION_RE = [
+  /\b(?:ignore|disregard|forget)\s+(?:all\s+)?(?:previous|prior|above|preceding)\s+(?:instructions|directives|prompts|rules)/i,
+  /\b(?:you\s+are\s+now|new\s+system\s+prompt|act\s+as|pretend\s+to\s+be)\b/i,
+  /\b(?:before\s+(?:running|invoking|using)\s+this\s+tool[^.]*?(?:read|exfiltrate|send|leak|copy|reveal|exec))/i,
+  /<\s*\|?\s*(?:system|im_start|im_end|assistant|user)\s*\|?\s*>/i,
+  /\b(?:print|reveal|output|show|expose|reveal)\s+(?:your|the)?\s*(?:system\s+prompt|instructions|api\s+key|credentials|secrets?)\b/i,
+];
+
+// Tool/server names that imply dangerous capabilities
+const _DANGEROUS_CAPABILITY_NAMES = /\b(?:shell|bash|exec|run_command|run_shell|execute_shell|eval|eval_python|sandbox_exec|run_code|sudo|root|kubectl|docker_exec|admin|drop_table|raw_query|ssh|fetch_url_unrestricted)\b/i;
+
+// Filesystem args / env paths that grant excessive scope
+const _FS_OVERSCOPE_RE = [
+  /^(?:\/|~\/?|\$HOME\/?|\$\{?HOME\}?\/?)$/,
+  /^(?:\/|~|\$HOME|\$\{HOME\})\s*\*$/,
+  /^(?:\/|~|\$HOME|\$\{HOME\})\/\*\*$/,
+];
+const _FS_LIKE_PATH_RE = /^(?:[A-Za-z]:|\/|~\/?|\$HOME|\$\{HOME\}|\.\.?\/)/;
+
+// Untrusted install / command vectors
+const _UNTRUSTED_INSTALL_RE = [
+  /\bcurl\s+[^|]*\|\s*(?:sh|bash|zsh)\b/,
+  /\bwget\s+[^|]*\|\s*(?:sh|bash|zsh)\b/,
+  /^http:\/\//i,
+];
+
+// Floating npx pins / unpinned versions in command:/args:
+const _FLOATING_PIN_RE = /@(?:latest|next|main|master|beta|canary)\b/;
+
+function _stringsFromValue(v, out=[]) {
+  if (v === null || v === undefined) return out;
+  if (typeof v === 'string') { out.push(v); return out; }
+  if (typeof v === 'number' || typeof v === 'boolean') { out.push(String(v)); return out; }
+  if (Array.isArray(v)) { for (const x of v) _stringsFromValue(x, out); return out; }
+  if (typeof v === 'object') { for (const k of Object.keys(v)) _stringsFromValue(v[k], out); return out; }
+  return out;
+}
+
+function _findLineOf(raw, needle) {
+  if (!raw || !needle) return 1;
+  const idx = raw.indexOf(needle);
+  if (idx === -1) return 1;
+  return raw.substring(0, idx).split('\n').length;
+}
+
+function _findKeyLine(raw, key) {
+  if (!raw || !key) return 1;
+  const re = new RegExp('"' + key.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') + '"\\s*:');
+  const m = raw.match(re);
+  if (!m) return 1;
+  return raw.substring(0, m.index).split('\n').length;
+}
+
+function _isMcpConfigFile(fp) {
+  const norm = fp.replace(/\\/g, '/');
+  if (_NONPROD_RE.test(norm)) return false;
+  return _MCP_FILE_RE.test(norm);
+}
+
+// Public: scan a single file. Mirrors scanLLM/scanPipeline shape so the engine
+// can call it inline for each file.
+export function scanMCP(fp, raw) {
+  if (!_isMcpConfigFile(fp)) return [];
+  if (!raw || raw.length > 200_000) return [];
+  let parsed;
+  try { parsed = JSON.parse(raw); } catch { return []; }
+  if (!parsed || typeof parsed !== 'object') return [];
+
+  const findings = [];
+  const seen = new Set();
+  const push = (f) => {
+    const key = `${f.file}:${f.line}:${f.vuln}`;
+    if (seen.has(key)) return;
+    seen.add(key);
+    findings.push(f);
+  };
+
+  // Both `mcpServers` (Claude desktop config) and top-level server maps
+  const servers = (parsed.mcpServers && typeof parsed.mcpServers === 'object')
+    ? parsed.mcpServers
+    : (parsed.servers && typeof parsed.servers === 'object')
+      ? parsed.servers
+      : parsed;
+
+  for (const [name, srv] of Object.entries(servers || {})) {
+    if (!srv || typeof srv !== 'object') continue;
+    const line = _findKeyLine(raw, name);
+
+    // 1. Untrusted install vector in command/args
+    const cmd = typeof srv.command === 'string' ? srv.command : '';
+    const args = Array.isArray(srv.args) ? srv.args.filter(a => typeof a === 'string') : [];
+    const fullCmd = [cmd, ...args].join(' ');
+    if (fullCmd && _UNTRUSTED_INSTALL_RE.some(re => re.test(fullCmd))) {
+      push({
+        id: `mcp-audit:${fp}:${line}:untrusted-install`,
+        kind: 'mcp', severity: 'critical',
+        vuln: 'MCP: untrusted install vector (curl|sh / http://) in server command',
+        cwe: 'CWE-494', stride: 'Tampering',
+        file: fp, line, snippet: `${name}: ${fullCmd}`.slice(0, 200),
+        fix: `MCP server "${name}" runs through an untrusted bootstrap (curl|sh or http://). Pin to a published, signed package and use https. Example: replace \`curl http://… | sh\` with an explicit \`npx -y package@<sha>\` that you have audited.`,
+      });
+    }
+
+    // 2. Floating tag pin in npx/uvx invocations
+    if (args.some(a => _FLOATING_PIN_RE.test(a))) {
+      const offending = args.find(a => _FLOATING_PIN_RE.test(a));
+      push({
+        id: `mcp-audit:${fp}:${line}:floating-pin`,
+        kind: 'mcp', severity: 'high',
+        vuln: 'MCP: server pinned to a floating tag (@latest/@main)',
+        cwe: 'CWE-1357', stride: 'Tampering',
+        file: fp, line, snippet: `${name}: ${offending}`,
+        fix: `Floating tag means the publisher (or an attacker who compromises them) can ship new code into your agent any time. Pin to a specific semver: \`pkg@1.2.3\` — or, even better, a published SHA.`,
+      });
+    }
+
+    // 3. Hardcoded credentials in env or args
+    const envObj = (srv.env && typeof srv.env === 'object') ? srv.env : {};
+    const allEnvStrings = _stringsFromValue(envObj);
+    const allArgStrings = _stringsFromValue(args);
+    const allHaystacks = [...allEnvStrings, ...allArgStrings];
+    for (const s of allHaystacks) {
+      if (_HARDCODED_CRED_RE.some(re => re.test(s))) {
+        push({
+          id: `mcp-audit:${fp}:${line}:hardcoded-cred`,
+          kind: 'mcp', severity: 'critical',
+          vuln: 'MCP: hardcoded credential in server env/args',
+          cwe: 'CWE-798', stride: 'Information Disclosure',
+          file: fp, line, snippet: `${name}: <credential redacted>`,
+          fix: `MCP server "${name}" carries a hardcoded API key. Move it to a secret store and reference via \`env: { API_KEY: "\${{ secrets.API_KEY }}" }\` or read from the user's keychain at startup.`,
+        });
+        break;
+      }
+    }
+
+    // 4. Filesystem over-scope. Common when @modelcontextprotocol/server-filesystem
+    //    is invoked with a root/home arg.
+    const isFsServer = /filesystem|files?|fs/i.test(name) || /server-filesystem/.test(fullCmd);
+    if (isFsServer || args.some(a => _FS_LIKE_PATH_RE.test(a))) {
+      const overscoped = args.find(a =>
+        typeof a === 'string' && _FS_OVERSCOPE_RE.some(re => re.test(a.trim()))
+      );
+      if (overscoped) {
+        push({
+          id: `mcp-audit:${fp}:${line}:fs-overscope`,
+          kind: 'mcp', severity: 'high',
+          vuln: 'MCP: filesystem server granted root or $HOME scope',
+          cwe: 'CWE-732', stride: 'Elevation of Privilege',
+          file: fp, line, snippet: `${name}: ${overscoped}`,
+          fix: `Filesystem MCP server "${name}" can read every file in ${overscoped}. Scope to the specific project directory the agent needs, e.g. \`/Users/me/code/this-project\`. Never grant \`/\`, \`$HOME\`, or \`~\`.`,
+        });
+      }
+    }
+
+    // 5. Dangerous capability name (shell, exec, eval, etc.) exposed unscoped
+    if (_DANGEROUS_CAPABILITY_NAMES.test(name) || _DANGEROUS_CAPABILITY_NAMES.test(fullCmd)) {
+      push({
+        id: `mcp-audit:${fp}:${line}:dangerous-capability`,
+        kind: 'mcp', severity: 'high',
+        vuln: 'MCP: server exposes a dangerous capability (shell/exec/eval) to the model',
+        cwe: 'CWE-77', stride: 'Elevation of Privilege',
+        file: fp, line, snippet: `${name}`,
+        fix: `Server "${name}" lets the model run arbitrary commands. If you keep it, restrict the working directory and the allowed binary list, and require user confirmation per call (most clients support an \`approval: ask\` flag).`,
+      });
+    }
+
+    // 6. Description-field prompt injection
+    const desc = typeof srv.description === 'string' ? srv.description : '';
+    if (desc && _PROMPT_INJECTION_RE.some(re => re.test(desc))) {
+      const dline = _findLineOf(raw, desc.slice(0, 40));
+      push({
+        id: `mcp-audit:${fp}:${dline}:prompt-injection-description`,
+        kind: 'mcp', severity: 'critical',
+        vuln: 'MCP: prompt-injection text inside server description',
+        cwe: 'CWE-1336', stride: 'Spoofing',
+        file: fp, line: dline, snippet: desc.slice(0, 200),
+        fix: `The description for "${name}" contains an instruction that overrides agent behavior. Treat MCP server metadata as untrusted input — the agent reads it. Strip the override and only describe what the server actually does.`,
+      });
+    }
+
+    // Also: prompt injection inside any tool definitions embedded in this config
+    const toolsArr = Array.isArray(srv.tools) ? srv.tools : [];
+    for (const t of toolsArr) {
+      if (!t || typeof t !== 'object') continue;
+      const tDesc = typeof t.description === 'string' ? t.description : '';
+      if (tDesc && _PROMPT_INJECTION_RE.some(re => re.test(tDesc))) {
+        const tline = _findLineOf(raw, tDesc.slice(0, 40));
+        push({
+          id: `mcp-audit:${fp}:${tline}:prompt-injection-tool-desc`,
+          kind: 'mcp', severity: 'critical',
+          vuln: 'MCP: prompt-injection text inside tool description',
+          cwe: 'CWE-1336', stride: 'Spoofing',
+          file: fp, line: tline, snippet: tDesc.slice(0, 200),
+          fix: `Tool "${t.name || '(unnamed)'}" carries an instruction inside its description. The agent reads tool descriptions as part of its system context. Remove the injection.`,
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+// Public for tests + the engine
+export const _internal = {
+  _isMcpConfigFile,
+  _HARDCODED_CRED_RE,
+  _PROMPT_INJECTION_RE,
+  _DANGEROUS_CAPABILITY_NAMES,
+};

package/src/sast/mobile-manifest.js

@@ -0,0 +1,195 @@
+// Mobile manifest audit — AndroidManifest.xml + Info.plist + module.json5.
+//
+// Cross-language: catches mobile security misconfig regardless of whether
+// the codebase is Java / Kotlin / Swift / Dart / ArkTS.
+//
+// Coverage:
+//   AndroidManifest.xml
+//     - android:exported="true" on non-launcher activities
+//     - <application android:debuggable="true">
+//     - <application android:allowBackup="true"> with sensitive data hints
+//     - <application android:usesCleartextTraffic="true">
+//     - dangerous permissions without rationale
+//   Info.plist
+//     - NSAllowsArbitraryLoads = true (ATS bypass)
+//     - Missing NS*UsageDescription for declared permissions
+//   module.json5 (HarmonyOS)
+//     - Permission without usedScene / reason
+
+const _ANDROID_MANIFEST_RE = /(?:^|[\\/])AndroidManifest\.xml$/i;
+const _INFO_PLIST_RE = /(?:^|[\\/])Info\.plist$/i;
+const _MODULE_JSON5_RE = /(?:^|[\\/])module\.json5$/i;
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+export function scanMobileManifest(file, raw) {
+  if (!file || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 200_000) return [];
+
+  if (_ANDROID_MANIFEST_RE.test(file)) return _scanAndroidManifest(file, raw);
+  if (_INFO_PLIST_RE.test(file)) return _scanInfoPlist(file, raw);
+  if (_MODULE_JSON5_RE.test(file)) return _scanModuleJson5(file, raw);
+  return [];
+}
+
+function _scanAndroidManifest(file, raw) {
+  const findings = [];
+
+  // android:debuggable="true"
+  for (const m of raw.matchAll(/android:debuggable\s*=\s*["']true["']/g)) {
+    findings.push({
+      id: `mobile-android:debuggable-true:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'AndroidManifest <application android:debuggable="true">',
+      severity: 'critical',
+      family: 'mobile-android-debuggable',
+      cwe: 'CWE-489',
+      confidence: 0.95,
+      description: 'A debuggable APK shipped to production allows any user with adb to attach jdb, inspect process memory, and arbitrarily call methods. JADX + Frida pair this into a one-step bypass for any client-side check.',
+      remediation: 'Remove android:debuggable from <application>, or set false in release builds. Most build systems strip this from release variants automatically — verify your release manifest.',
+    });
+  }
+
+  // usesCleartextTraffic="true"
+  for (const m of raw.matchAll(/android:usesCleartextTraffic\s*=\s*["']true["']/g)) {
+    findings.push({
+      id: `mobile-android:cleartext-traffic:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'AndroidManifest android:usesCleartextTraffic="true"',
+      severity: 'high',
+      family: 'mobile-android-cleartext',
+      cwe: 'CWE-319',
+      confidence: 0.95,
+      description: 'Allows the app to make plaintext HTTP requests. Network-level attackers on the same Wi-Fi can intercept and tamper with traffic.',
+      remediation: 'Set usesCleartextTraffic="false" and rely on TLS. If specific dev/internal hosts genuinely need HTTP, scope them via network_security_config.xml domain-config — never the whole app.',
+    });
+  }
+
+  // android:exported="true" on non-launcher activities (no LAUNCHER intent filter)
+  // Walk each <activity ... android:exported="true" ...> ... </activity>
+  const activityRe = /<activity\b([^>]*)>([\s\S]*?)<\/activity>|<activity\b([^/]*)\/>/g;
+  let am;
+  while ((am = activityRe.exec(raw))) {
+    const head = am[1] || am[3] || '';
+    const body = am[2] || '';
+    if (!/android:exported\s*=\s*["']true["']/.test(head)) continue;
+    // Skip the launcher activity (which MUST be exported).
+    if (/android\.intent\.category\.LAUNCHER/.test(body) ||
+        /android\.intent\.category\.LAUNCHER/.test(head)) continue;
+    findings.push({
+      id: `mobile-android:exported-true:${file}:${_line(raw, am.index)}`,
+      file, line: _line(raw, am.index),
+      vuln: 'AndroidManifest <activity android:exported="true"> on a non-launcher activity',
+      severity: 'high',
+      family: 'mobile-android-exported',
+      cwe: 'CWE-926',
+      confidence: 0.85,
+      description: 'Any other app on the device can start this Activity via Intent. Combined with a vulnerable intent extras handler, this is a one-app RCE.',
+      remediation: 'Set android:exported="false" unless another app genuinely needs to start this Activity. If it does, verify intent extras and require android:permission to gate access.',
+    });
+  }
+
+  // allowBackup="true" with no fullBackupContent restrictions
+  if (/android:allowBackup\s*=\s*["']true["']/.test(raw) && !/android:fullBackupContent\s*=/.test(raw)) {
+    const m = /android:allowBackup\s*=\s*["']true["']/.exec(raw);
+    findings.push({
+      id: `mobile-android:allow-backup:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'AndroidManifest android:allowBackup="true" without fullBackupContent restriction',
+      severity: 'medium',
+      family: 'mobile-android-backup',
+      cwe: 'CWE-552',
+      confidence: 0.75,
+      description: 'On debug-enabled devices, adb can pull the app\'s entire data dir (preferences, databases, files) via adb backup. Without a fullBackupContent restriction, sensitive data is included.',
+      remediation: 'Set allowBackup="false", or provide fullBackupContent="@xml/backup_rules" with an explicit include/exclude list.',
+    });
+  }
+
+  return findings;
+}
+
+function _scanInfoPlist(file, raw) {
+  const findings = [];
+
+  // NSAllowsArbitraryLoads = true
+  const re = /<key>\s*NSAllowsArbitraryLoads\s*<\/key>\s*<true\s*\/>/i;
+  if (re.test(raw)) {
+    const m = re.exec(raw);
+    findings.push({
+      id: `mobile-ios:ats-disabled:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'Info.plist NSAllowsArbitraryLoads = true — App Transport Security disabled',
+      severity: 'high',
+      family: 'mobile-ios-ats-disabled',
+      cwe: 'CWE-319',
+      confidence: 0.95,
+      description: 'ATS-disabled apps make plaintext HTTP calls to arbitrary hosts. Network-level attackers can intercept tokens / PII / session cookies trivially.',
+      remediation: 'Remove NSAllowsArbitraryLoads or set to false. If a specific domain genuinely needs HTTP (legacy backend), scope via NSExceptionDomains with NSExceptionAllowsInsecureHTTPLoads on that single host.',
+    });
+  }
+
+  // Permissions declared without usage description — known iOS keys.
+  const IOS_PERMS = [
+    ['NSCameraUsageDescription', 'camera'],
+    ['NSMicrophoneUsageDescription', 'microphone'],
+    ['NSLocationWhenInUseUsageDescription', 'location-when-in-use'],
+    ['NSLocationAlwaysAndWhenInUseUsageDescription', 'location-always'],
+    ['NSPhotoLibraryUsageDescription', 'photo library'],
+    ['NSContactsUsageDescription', 'contacts'],
+    ['NSCalendarsUsageDescription', 'calendar'],
+    ['NSBluetoothAlwaysUsageDescription', 'bluetooth'],
+    ['NSAppleMusicUsageDescription', 'media library'],
+    ['NSMotionUsageDescription', 'motion'],
+    ['NSFaceIDUsageDescription', 'face id'],
+  ];
+  for (const [key, label] of IOS_PERMS) {
+    // Check: <key>KEY</key> present AND followed by empty <string></string> (within 200 chars)
+    const re2 = new RegExp(`<key>\\s*${key}\\s*</key>\\s*<string>\\s*</string>`, 'i');
+    if (re2.test(raw)) {
+      const m = re2.exec(raw);
+      findings.push({
+        id: `mobile-ios:empty-usage-desc:${file}:${_line(raw, m.index)}:${label}`,
+        file, line: _line(raw, m.index),
+        vuln: `Info.plist ${key} declared but description is empty`,
+        severity: 'low',
+        family: 'mobile-ios-empty-permission-rationale',
+        cwe: 'CWE-1059',
+        confidence: 0.9,
+        description: `iOS displays the usage description to the user when the app first requests ${label} access. An empty string leads to App Store rejection and a worse user-trust signal.`,
+        remediation: `Provide a clear, specific reason: <string>Camera access lets you scan QR codes for fast pairing.</string>`,
+      });
+    }
+  }
+
+  return findings;
+}
+
+function _scanModuleJson5(file, raw) {
+  const findings = [];
+  // HarmonyOS: declared permission without usedScene or reason.
+  // Cheap regex check on the JSON5.
+  const permRe = /"requestPermissions"\s*:\s*\[([\s\S]*?)\]/;
+  const m = permRe.exec(raw);
+  if (!m) return findings;
+  const body = m[1];
+  // For each block { "name": "...", ... } in the array, check usedScene / reason.
+  for (const pm of body.matchAll(/\{[^{}]*"name"\s*:\s*"([^"]+)"[^{}]*\}/g)) {
+    const block = pm[0];
+    const permName = pm[1];
+    if (/"usedScene"\s*:/.test(block) && /"reason"\s*:/.test(block)) continue;
+    findings.push({
+      id: `mobile-harmony:missing-permission-rationale:${file}:${_line(raw, pm.index + m.index)}:${permName}`,
+      file, line: _line(raw, pm.index + m.index),
+      vuln: `HarmonyOS module.json5 permission "${permName}" missing usedScene or reason`,
+      severity: 'low',
+      family: 'mobile-harmony-permission-rationale',
+      cwe: 'CWE-862',
+      confidence: 0.85,
+      description: 'HarmonyOS requires every requested permission to declare usedScene and a user-facing reason. Missing the rationale leads to runtime denial.',
+      remediation: 'Add "usedScene": { "abilities": ["EntryAbility"], "when": "always" } and "reason": "$string:permission_reason".',
+    });
+  }
+  return findings;
+}