@clear-capabilities/agentic-security-scanner 0.74.0

package/src/sast/response-splitting.js

@@ -0,0 +1,138 @@
+// HTTP Response Splitting / CRLF Injection (CWE-113).
+//
+// Pattern: a header value or `Location:` body is set from user input
+// without stripping CR/LF. The attacker injects `\r\n\r\n<html>…` and
+// splits the response, turning a single response into two — the second
+// one fully attacker-controlled. Same root mechanism as open-redirect
+// when the location is concatenated, but the consequence is broader
+// (cache poisoning, XSS via injected body, session fixation).
+//
+// We catch:
+//   - JS/Node:      res.setHeader('X-…', userValue)
+//                   res.set('X-…', userValue)
+//                   ctx.response.set('X-…', userValue)
+//   - Java:         response.setHeader(…, name)
+//                   response.addHeader(…, name)
+//   - Python:       response['X-…'] = userValue       (Django)
+//                   response.headers['X-…'] = userValue (Flask)
+//   - PHP:          header("X-…: " . $_GET[...])  (also caught by open-redirect
+//                   when Location:; this rule catches non-Location headers)
+//
+// Suppression: if the user value passes through a CRLF strip / regex
+// filter / a known sanitizer (`escape`, `URLEncoder.encode`, `quote_plus`)
+// in the preceding 30 lines, no finding.
+
+import { blankComments } from './_comment-strip.js';
+
+const PATTERNS = [
+  // res.setHeader('name', val) | res.set('name', val) | ctx.response.set(…)
+  ['js', /\b(?:res|reply|response|ctx\.response)\s*\.\s*(?:setHeader|set|append)\s*\(\s*[`"'][^`"']+[`"']\s*,\s*([^)]+?)\s*\)/g, 'res.setHeader'],
+  // response.setHeader / response.addHeader  (Java Servlet API). Accept any
+  // identifier as the receiver — `resp`, `response`, `httpResponse`, etc.
+  ['java', /\b(?:[A-Za-z_][\w]*)\s*\.\s*(?:setHeader|addHeader)\s*\(\s*"[^"]+"\s*,\s*([^)]+?)\s*\)/g, 'setHeader'],
+  // Django/Flask response.headers['X-…'] = userValue
+  ['py', /\b(?:response|resp|r)\s*(?:\.\s*headers)?\s*\[\s*['"][^'"]+['"]\s*\]\s*=\s*([^\n;]+)/g, 'response.headers[…] = …'],
+  // PHP header("X-Foo: " . $_GET[…])  (Location: variants handled by open-redirect)
+  ['php', /\bheader\s*\(\s*['"](?!Location)([^'"]+):\s*['"]\s*\.\s*(\$\w[\w\[\]'"]*)/g, 'PHP header()'],
+];
+
+const TAINT_HINT_RE =
+  /\b(?:req\.|request\.|params\.|query\.|body\.|ctx\.query|ctx\.request|reply\.query|c\.Query|r\.URL\.Query|_GET|_POST|_REQUEST|getParameter|getHeader)\b/;
+
+const SANITIZER_PATTERNS = [
+  /\.replace\s*\(\s*\/\\r\?\\?n/i,                // .replace(/\r?\n/, '')
+  /\.replace\s*\(\s*\/[\[]\\r\\n[\]]/i,           // .replace(/[\r\n]/, '')
+  /\.replaceAll\s*\(\s*['"]\\r?\\?n?['"]/,
+  /\bstripNewlines\b/i,
+  /\bsanitizeHeader\b/i,
+  /\bescapeCRLF\b/i,
+  /\bURLEncoder\s*\.\s*encode\b/,
+  /\bquote_plus\s*\(/,
+  /\bencodeURIComponent\s*\(/,
+  /\bquote\s*\(/,
+  // Explicit CRLF reject patterns — any reference to \r\n inside a
+  // .matches / regex check, paired with throw/return earlier in the file.
+  /\.matches\s*\([^)]*\\\\?r\\\\?n/,              // .matches(... \r\n ...)
+  /\babort\s*\(\s*4\d\d/,                         // abort(4xx) earlier
+  /\bres\s*\.\s*status\s*\(\s*4\d\d\b/,
+  /\bthrow\s+new\s+\w+Exception\s*\([^)]*(?:header|crlf|newline)/i,
+];
+
+function _lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+function _lang(fp) {
+  if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) return 'js';
+  if (/\.py$/i.test(fp)) return 'py';
+  if (/\.java$/i.test(fp)) return 'java';
+  if (/\.php$/i.test(fp)) return 'php';
+  return null;
+}
+
+function _looksSanitizedAbove(raw, callLine) {
+  const lines = raw.split('\n');
+  const lo = Math.max(0, callLine - 30);
+  const before = lines.slice(lo, callLine).join('\n');
+  for (const p of SANITIZER_PATTERNS) if (p.test(before)) return true;
+  return false;
+}
+
+export function scanResponseSplitting(fp, raw) {
+  if (!raw || raw.length > 500_000) return [];
+  const lang = _lang(fp);
+  if (!lang) return [];
+  const code = blankComments(raw, lang === 'py' ? 'py' : undefined);
+  if (!/\b(?:setHeader|addHeader|response\s*\.\s*headers|response\s*\[|reply\s*\.\s*set|\bheader\s*\()/i.test(code)) return [];
+  const findings = [];
+  const seen = new Set();
+  for (const [plang, pat, label] of PATTERNS) {
+    if (plang !== lang) continue;
+    const re = new RegExp(pat.source, pat.flags);
+    let m;
+    while ((m = re.exec(code))) {
+      const value = (m[1] || '').trim();
+      let tainted = TAINT_HINT_RE.test(value);
+      // Java-handler-context heuristic: if the receiver looks like an
+      // HttpServletResponse and `value` is a plain ident that appears in
+      // the enclosing method's param list, treat it as user-derived. Same
+      // signature pattern as a real SAST tool's "request-scope param" rule.
+      if (!tainted && plang === 'java' && /^[A-Za-z_][\w]*$/.test(value)) {
+        const callIdx = m.index;
+        // Find the start of the enclosing method by walking back to the
+        // most recent `(...)`-style signature followed by `{`.
+        const before = code.slice(0, callIdx);
+        const sigRe = /\b(?:public|private|protected|static)[^;{]*\(([^)]*)\)\s*(?:throws[^{]+)?\{/g;
+        let sig = null;
+        let sm;
+        while ((sm = sigRe.exec(before)) !== null) sig = sm;
+        if (sig) {
+          const params = sig[1].split(',').map(p => (p.trim().split(/\s+/).pop() || '').trim());
+          if (params.includes(value)) tainted = true;
+        }
+      }
+      if (!tainted) continue;
+      const line = _lineOf(raw, m.index);
+      if (_looksSanitizedAbove(raw, line)) continue;
+      const id = `response-splitting:${fp}:${line}:${label}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      findings.push({
+        id,
+        file: fp, line,
+        vuln: `HTTP Response Splitting / CRLF Injection (${label})`,
+        severity: 'high',
+        cwe: 'CWE-113',
+        family: 'response-splitting',
+        stride: 'Tampering',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation:
+          'Strip or reject CR/LF characters before writing the value into a response header. ' +
+          'Better: validate the value against a strict pattern (alnum + a small set of punctuation) and reject anything else. ' +
+          'Java Servlet: prefer `response.setHeader(name, URLEncoder.encode(value, "UTF-8"))` or normalize via a helper. ' +
+          'Node: `value.replace(/[\\r\\n]/g, "")` before `res.setHeader`. ' +
+          'Django/Flask: assign through a setter that sanitizes; never raw `response[".."] = userInput`.',
+        parser: 'RESPONSE-SPLITTING',
+        confidence: 0.85,
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/ruby.js

@@ -0,0 +1,108 @@
+import { blankComments } from './_comment-strip.js';
+// Ruby-specific detectors. Targets Rails idioms and the eval-family methods
+// that make Ruby code easy to compromise when fed untrusted input.
+//
+//   - User input into eval / instance_eval / class_eval / module_eval
+//   - send / public_send with a user-controlled method name
+//   - Marshal.load on user input
+//   - YAML.load (not safe_load) on user input
+//   - ERB.new(...).result on user input
+//   - Open / `` (backtick) with user input (command injection)
+//   - Rails: attributes = params (without strong_params)
+//   - Open::URI.open(user_url) — SSRF
+//   - File.read(params[...]) — path traversal
+
+const RE = {
+  evalFamily: /\b(?:eval|instance_eval|class_eval|module_eval)\s*\(?\s*(?:params|request|@\w+\.params|cookies|session)\b/g,
+  send: /\.(?:send|public_send)\s*\(\s*(?:params|request|@\w+\.params)\b/g,
+  marshalLoad: /\bMarshal\s*\.\s*load\s*\(\s*(?:params|request|@\w+\.params|cookies|session)\b/g,
+  yamlUnsafe: /\bYAML\s*\.\s*load\s*\(\s*(?:params|request|@\w+\.params|cookies|session)\b/g,
+  erbResult: /\bERB\.new\s*\(\s*(?:params|request|@\w+\.params)\b[^)]*\)\s*\.\s*result/g,
+  backtick: /`[^`]*#\{[^}]*\b(?:params|request|@\w+\.params)\b[^}]*\}/g,
+  systemUser: /\b(?:system|exec|Open3\.capture\d*|IO\.popen)\s*\(\s*[^)]*\b(?:params|request|@\w+\.params)\b/g,
+  attributesEq: /\.\s*attributes\s*=\s*params\b(?!\s*\.permit)/g,
+  openSsrf: /\b(?:open|URI\.open|URI\.parse\([^)]*\)\.read)\s*\(\s*(?:params|request|@\w+\.params)\b/g,
+  fileRead: /\bFile\s*\.\s*(?:read|open|new|readlines)\s*\(\s*params\s*\[/g,
+};
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+export function scanRuby(fp, raw) {
+  if (!/\.rb$/i.test(fp)) return [];
+  if (!raw || raw.length > 500_000) return [];
+  // Ruby's comment char is # (same as Python) — use the py stripper.
+  const code = blankComments(raw, 'py');
+  const findings = [];
+  const seen = new Set();
+  const push = (f) => { if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); } };
+
+  for (const [key, re] of Object.entries(RE)) {
+    const r = new RegExp(re.source, re.flags);
+    let m;
+    while ((m = r.exec(code))) {
+      const line = lineOf(raw, m.index);
+      const meta = {
+        evalFamily: {
+          vuln: 'Code Injection: eval/instance_eval/class_eval on user-controlled input',
+          severity: 'critical', cwe: 'CWE-94',
+          remediation: 'Never call eval on user input — there is no safe sanitization. Replace with explicit branching on enumerated values, a method dispatch table (whitelist), or a parser for a constrained DSL.',
+        },
+        send: {
+          vuln: 'Method Reflection: send/public_send with user-controlled method name',
+          severity: 'high', cwe: 'CWE-470',
+          remediation: 'Validate the method name against an explicit whitelist before sending. `params[:action]` straight into `send` lets the client invoke any method on the receiver, including private ones with `send`.',
+        },
+        marshalLoad: {
+          vuln: 'Insecure Deserialization: Marshal.load on user input',
+          severity: 'critical', cwe: 'CWE-502',
+          remediation: 'Marshal is unsafe by design — never use it on data crossing a trust boundary. Replace with JSON or msgpack with an explicit schema.',
+        },
+        yamlUnsafe: {
+          vuln: 'Insecure Deserialization: YAML.load on user input',
+          severity: 'critical', cwe: 'CWE-502',
+          remediation: 'Replace `YAML.load(input)` with `YAML.safe_load(input, permitted_classes: [Symbol], aliases: true)` — the default `load` will instantiate arbitrary Ruby classes from a crafted document (same risk class as Marshal).',
+        },
+        erbResult: {
+          vuln: 'Server-Side Template Injection: ERB.new(user_template).result',
+          severity: 'critical', cwe: 'CWE-94',
+          remediation: 'Never feed a user-supplied string into ERB. Predefine templates server-side; the client may pass *values*, never the template body.',
+        },
+        backtick: {
+          vuln: 'Command Injection: backtick command interpolates request data',
+          severity: 'critical', cwe: 'CWE-78',
+          remediation: 'Use `Open3.capture2(["cmd", arg1, arg2])` with an array form so the shell does not parse anything. Backticks and `system("cmd #{params[...]}")` are pure shell injection.',
+        },
+        systemUser: {
+          vuln: 'Command Injection: system/exec/Open3 with user-controlled input',
+          severity: 'critical', cwe: 'CWE-78',
+          remediation: 'Use the array form: `system(["cmd", arg])`. The string form lets the shell parse — any quoting trick wins.',
+        },
+        attributesEq: {
+          vuln: 'Mass Assignment: model.attributes = params (no strong_params)',
+          severity: 'high', cwe: 'CWE-915',
+          remediation: 'Use `params.require(:user).permit(:name, :email)` — explicit allow-list. Assigning raw `params` lets the client set fields the controller never intended (admin: true, role: ...).',
+        },
+        openSsrf: {
+          vuln: 'SSRF: open/URI.open with user-controlled URL',
+          severity: 'high', cwe: 'CWE-918',
+          remediation: 'Resolve and validate the host against an allow-list before fetching. `open(params[:url])` is also a path-traversal vector under older Ruby (open-uri inherits Kernel#open semantics).',
+        },
+        fileRead: {
+          vuln: 'Path Traversal: File.read/open with user-controlled path',
+          severity: 'high', cwe: 'CWE-22',
+          remediation: 'Canonicalize the path and verify it stays under an allowed base: `path = File.expand_path(File.join(base, name)); raise unless path.start_with?(base)`.',
+        },
+      }[key];
+      push({
+        id: `ruby-${key}:${fp}:${line}`,
+        file: fp, line,
+        vuln: meta.vuln, severity: meta.severity, cwe: meta.cwe,
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation: meta.remediation,
+        parser: 'RUBY',
+        confidence: 0.80,
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/rust.js

@@ -0,0 +1,105 @@
+// Rust SAST module.
+//
+// Rust is memory-safe by default; the interesting attacks are:
+//   - sqlx::query(&format!(...))             SQL injection via format! macro
+//                                            (sqlx::query! is the safe macro)
+//   - Command::new("sh").arg("-c").arg(user) shell-form command injection
+//   - serde_json::from_str::<Value>(...)     type-confusion when downstream code
+//                                            unwraps without validation
+//   - unsafe { ... } blocks                  informational — counts and reports
+//                                            location; not a finding by itself
+//   - hardcoded crypto seed                  Rng::from_seed([0; 32]) or similar
+//
+// Patterns are syntactically distinctive and don't false-match in other languages.
+
+import { blankComments } from './_comment-strip.js';
+
+const FINDINGS = [
+  {
+    id: 'rust-sqlx-format', severity: 'high', cwe: 'CWE-89', family: 'sql-injection',
+    // sqlx::query(&format!("...{}...", user))  — the format! macro disables
+    // the compile-time placeholder check that sqlx::query! / query_as! enforce.
+    re: /\bsqlx::(?:query|query_as|query_scalar)(?:_unchecked)?\s*\(\s*&?\s*format!\s*\(/g,
+    vuln: 'SQL Injection — sqlx::query with format! macro',
+    remediation: 'Use the compile-time-checked macros instead: `sqlx::query!("SELECT … WHERE id = $1", id)` (note the `!` and `$1` placeholder). `query(&format!(…))` interpolates user data into the SQL string at runtime, defeating sqlx\'s static SQL guarantee.',
+  },
+  {
+    id: 'rust-cmd-shell', severity: 'critical', cwe: 'CWE-78', family: 'command-injection',
+    // Command::new("sh").arg("-c").arg(user_input) — restrict to a single
+    // statement by forbidding `;` between the segments.
+    re: /\bCommand::new\s*\(\s*"(?:sh|bash|zsh|cmd|cmd\.exe|powershell)"\s*\)[^;]{0,200}\.\s*arg\s*\(\s*"-c"\s*\)[^;]{0,200}\.\s*arg\s*\(\s*(?!"[^"]*"\s*\))/g,
+    vuln: 'Command Injection — Command::new("sh").arg("-c").arg(<dynamic>)',
+    remediation: 'Drop the shell. Pass the program and arguments to Command::new directly: `Command::new("ls").arg("-l").arg(&user_dir)`. The shell-form (`sh -c "..."`) interprets metacharacters in user input.',
+  },
+  {
+    id: 'rust-cmd-arg-format', severity: 'high', cwe: 'CWE-78', family: 'command-injection',
+    // Command::new(...).arg(format!("--flag={}", user)) — restrict to a
+    // single statement (no `;` between the call and the .arg).
+    re: /\bCommand::new\s*\([^)]+\)[^;]{0,200}\.\s*arg\s*\(\s*format!\s*\(/g,
+    vuln: 'Command Injection — Command::arg(format!(...)) interpolates user input',
+    remediation: 'Pass each value as its own .arg(): `cmd.arg("--user").arg(&name)`. Building one argument with format!("…{user}…") loses the argv boundary and can be split by spaces / shell metachars depending on the program.',
+  },
+  {
+    id: 'rust-rng-zero-seed', severity: 'high', cwe: 'CWE-338', family: 'weak-rng',
+    // ChaCha20Rng::from_seed([0; 32]) or seed: [0u8; 32]
+    re: /\b(?:ChaCha\d+Rng|StdRng|SmallRng|Hc128Rng|Pcg\d+|Isaac\d+Rng)::from_seed\s*\(\s*\[\s*0\s*[;u]/g,
+    vuln: 'Weak randomness — RNG seeded with constant zeros',
+    remediation: 'Seed from the OS CSPRNG: `let rng = ChaCha20Rng::from_entropy()` or `OsRng.fill_bytes(&mut seed)`. A constant seed makes the RNG output fully predictable.',
+  },
+  {
+    id: 'rust-unsafe-block', severity: 'info', cwe: 'CWE-758', family: 'unsafe-block',
+    // unsafe { ... } — informational, but counted so reviewers can flag densities
+    re: /\bunsafe\s*\{/g,
+    vuln: 'unsafe block — review for memory-safety invariants',
+    remediation: 'Each `unsafe` block bypasses Rust\'s memory-safety guarantees. Verify the invariants documented for the unsafe operation hold (typically: aliasing rules, bounds, lifetime extension). Audit dense unsafe regions for buffer overflows, use-after-free, and data races.',
+    infoOnly: true,
+  },
+  {
+    id: 'rust-actix-extract-string', severity: 'medium', cwe: 'CWE-20', family: 'input-validation',
+    // web::Path<String> / web::Query<String> — accepts arbitrary user-controlled
+    // strings without a typed extractor. Often a precursor to SQL/path/cmd-injection.
+    re: /\bweb::(?:Path|Query)<\s*String\s*>/g,
+    vuln: 'Untyped Actix extractor — web::Path<String>/web::Query<String> accepts any input',
+    remediation: 'Define a typed struct with serde for the extractor: `#[derive(Deserialize)] struct UserPath { id: i64 }`. Typed extractors reject malformed input at the framework boundary instead of bubbling raw strings into your handlers.',
+    infoOnly: true,
+  },
+];
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+export function scanRust(fp, raw) {
+  if (!/\.rs$/i.test(fp)) return [];
+  if (!raw || raw.length > 500_000) return [];
+  const code = blankComments(raw);
+  const out = [];
+  const seen = new Set();
+  for (const rule of FINDINGS) {
+    const re = new RegExp(rule.re.source, rule.re.flags);
+    let m;
+    let count = 0;
+    while ((m = re.exec(code))) {
+      const line = lineOf(raw, m.index);
+      const id = `${rule.id}:${fp}:${line}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      // For informational rules, only emit the first 3 hits per file
+      // (avoids drowning the output with low-signal `unsafe` blocks).
+      if (rule.infoOnly && ++count > 3) break;
+      out.push({
+        id, file: fp, line,
+        vuln: rule.vuln,
+        severity: rule.severity,
+        cwe: rule.cwe,
+        stride: rule.family === 'sql-injection' ? 'Tampering'
+              : rule.family === 'command-injection' ? 'Elevation of Privilege'
+              : rule.family === 'weak-rng' ? 'Spoofing'
+              : 'Information Disclosure',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation: rule.remediation,
+        confidence: 0.85,
+        parser: 'RUST',
+      });
+    }
+  }
+  return out;
+}

package/src/sast/solidity.js

@@ -0,0 +1,167 @@
+// Solidity smart-contract SAST module.
+//
+// Covers the highest-impact, lowest-FP-risk smart-contract patterns:
+//   - reentrancy            external call (.call.value / .send / .transfer) followed
+//                            by a state-changing statement in the same function
+//   - tx-origin             `tx.origin == owner` / `require(tx.origin == ...)`
+//                            — vulnerable to phishing-style proxy attacks
+//   - integer-overflow      pragma solidity ^0.7.x or older without SafeMath import
+//                            — Solidity 0.8+ has built-in overflow checks
+//   - block-timestamp-rng   block.timestamp / block.difficulty used as randomness
+//   - unprotected-selfdestruct  selfdestruct() in a function without owner check
+//   - delegatecall-user     delegatecall with user-controlled target
+//   - low-level-call-unchecked  unchecked return value from .call / .send
+//
+// Solidity syntax is distinctive enough that these patterns won't false-match
+// in any other language.
+
+import { blankComments } from './_comment-strip.js';
+
+const FINDINGS = [
+  {
+    id: 'sol-reentrancy', severity: 'critical', cwe: 'CWE-841', family: 'reentrancy',
+    // .call{value: x}("") OR .call.value(x)() OR .send(x) OR .transfer(x)
+    // followed within ~6 lines by a state-changing statement (assignment to
+    // a non-local var, balances[...] = ..., totalSupply -=, etc.)
+    re: /\b(?:[a-zA-Z_]\w*)\s*\.\s*call\s*(?:\{[^}]*value\s*:[^}]*\}|\.\s*value\s*\([^)]+\))\s*\([\s\S]{0,400}?[a-zA-Z_]\w*\s*\[[^\]]+\]\s*[-+]?=/g,
+    vuln: 'Reentrancy — external call before state update (Check-Effects-Interactions violated)',
+    remediation: 'Update internal state BEFORE making the external call (Check-Effects-Interactions pattern). Or use OpenZeppelin\'s ReentrancyGuard modifier. The DAO hack ($150M, 2016) and many later incidents follow this exact shape: balance is read, .call.value() pays out, and only after does the balance get zeroed — the callee re-enters and drains.',
+  },
+  {
+    id: 'sol-tx-origin', severity: 'high', cwe: 'CWE-345', family: 'tx-origin-auth',
+    re: /\b(?:require|assert|if)\s*\(\s*[^)]*\btx\.origin\s*(?:==|!=)/g,
+    vuln: 'Authentication using tx.origin (phishing-vulnerable)',
+    remediation: 'Use `msg.sender` for the authenticated caller, never `tx.origin`. tx.origin is the EOA at the start of the call chain — if a user is tricked into calling an attacker contract that then calls yours, tx.origin is still the user but msg.sender is the attacker.',
+  },
+  {
+    id: 'sol-overflow-old-pragma', severity: 'high', cwe: 'CWE-190', family: 'integer-overflow',
+    // pragma solidity ^0.x.y where x < 8 AND no SafeMath import in file
+    re: /pragma\s+solidity\s+[\^>=~]*\s*0\.[0-7]\b/g,
+    vuln: 'Integer overflow risk — pragma <0.8 without SafeMath',
+    remediation: 'Either upgrade the pragma to `pragma solidity ^0.8.0;` (built-in checked arithmetic) or import OpenZeppelin SafeMath: `using SafeMath for uint256;`. Pre-0.8 silently wraps on overflow — a classic gateway to fund-drain bugs.',
+    fileSafe: /\b(?:SafeMath|using\s+SafeMath)\b|pragma\s+solidity\s+[\^>=~]*\s*0\.[89]|pragma\s+solidity\s+[\^>=~]*\s*[1-9]\d*\b/,
+  },
+  {
+    id: 'sol-block-timestamp-rng', severity: 'medium', cwe: 'CWE-330', family: 'weak-rng',
+    re: /\b(?:keccak256|sha3|abi\.encodePacked)\s*\([^)]*\bblock\.(?:timestamp|difficulty|number|prevrandao|coinbase)/g,
+    vuln: 'Predictable randomness — block.timestamp / block.difficulty as RNG seed',
+    remediation: 'Block proposers can influence (or fully control) block.timestamp / block.difficulty within a small range. For any randomness with funds at stake, use Chainlink VRF or a commit-reveal scheme.',
+  },
+  {
+    id: 'sol-selfdestruct-unprotected', severity: 'critical', cwe: 'CWE-284', family: 'unprotected-selfdestruct',
+    // selfdestruct(...) appears in a function. Suppress if the same function body has an owner check.
+    re: /\bselfdestruct\s*\(/g,
+    vuln: 'selfdestruct() without owner-only modifier (contract destruction risk)',
+    remediation: 'Restrict selfdestruct() to an `onlyOwner` modifier (OpenZeppelin Ownable) or guard with `require(msg.sender == owner)`. The Parity Multisig wallet ($150M, 2017) was bricked when an unprotected init function was called by an attacker who then triggered selfdestruct.',
+  },
+  {
+    id: 'sol-delegatecall-user', severity: 'critical', cwe: 'CWE-94', family: 'delegatecall-untrusted',
+    re: /\b\w+\s*\.\s*delegatecall\s*\(/g,
+    vuln: 'delegatecall — verify the target address is fixed and trusted',
+    remediation: 'delegatecall executes the target contract\'s code in YOUR contract\'s storage. If the target is user-controlled, an attacker can write arbitrary slots — including the owner field. Restrict delegatecall to a hardcoded, audited implementation address.',
+    // OpenZeppelin Address.sol and Proxy.sol implement audited library
+    // delegatecall helpers (functionDelegateCall, _delegate). They're the
+    // canonical "trusted" wrappers — firing on them is noise. Skip files
+    // whose basename is a known OZ utility.
+    skipBasename: /^(?:Address|Proxy|TransparentUpgradeableProxy|ERC1967Proxy|UpgradeableProxy|BeaconProxy|StorageSlot|Multicall)\.sol$/i,
+  },
+  {
+    id: 'sol-call-unchecked', severity: 'medium', cwe: 'CWE-252', family: 'unchecked-low-level-call',
+    // .call{...}(...) or .send(...) whose return value isn't captured to a bool
+    re: /(?:[a-zA-Z_]\w*)\s*\.\s*(?:call|send)\s*(?:\{[^}]*\})?\s*\([^;]+\);/g,
+    vuln: 'Unchecked low-level call — return value not inspected',
+    remediation: 'Capture the bool from `.call(...)` / `.send(...)` and revert on false: `(bool ok, ) = addr.call{value: amt}(""); require(ok, "call failed");`. Silent failure leaves the contract in an inconsistent state.',
+    // Suppress when the pattern is consumed by `(bool ok,) = …`
+    isSafeMatch: (matched) => /\b(?:bool\s+\w+\s*,?)?\s*\)?\s*=/.test(matched) || /^require\s*\(/.test(matched),
+  },
+];
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+// Check if the line where the selfdestruct sits is inside a function body
+// that also has an owner-check require.
+function _selfdestructHasOwnerCheck(lines, sinkLine) {
+  // Walk back to find the enclosing `function` declaration; walk forward to
+  // matching `}`. Search for an owner check within that range.
+  let openBraceLine = -1;
+  let depth = 0;
+  for (let i = sinkLine - 1; i >= 0; i--) {
+    const ln = lines[i] || '';
+    for (let k = ln.length - 1; k >= 0; k--) {
+      if (ln[k] === '}') depth++;
+      else if (ln[k] === '{') { if (depth === 0) { openBraceLine = i; } else depth--; }
+    }
+    if (openBraceLine >= 0) break;
+  }
+  if (openBraceLine < 0) return false;
+  // Look at the line above the brace for a `function ...` decl with `onlyOwner`
+  const declLine = lines[openBraceLine] || '';
+  const prevLine = lines[Math.max(0, openBraceLine - 1)] || '';
+  if (/\bonlyOwner\b/.test(declLine) || /\bonlyOwner\b/.test(prevLine)) return true;
+  // Scan body for `require(msg.sender == owner)` or `require(msg.sender == ...Owner)`
+  let d = 0;
+  for (let i = openBraceLine; i < lines.length; i++) {
+    const ln = lines[i] || '';
+    for (const c of ln) {
+      if (c === '{') d++;
+      else if (c === '}') { d--; if (d === 0) return false; }
+    }
+    if (/\brequire\s*\(\s*msg\.sender\s*==\s*\w*[Oo]wner\w*\s*[,)]/.test(ln)) return true;
+    if (/\brequire\s*\(\s*msg\.sender\s*==\s*admin/.test(ln)) return true;
+  }
+  return false;
+}
+
+export function scanSolidity(fp, raw) {
+  if (!/\.sol$/i.test(fp)) return [];
+  if (!raw || raw.length > 500_000) return [];
+  const code = blankComments(raw);
+  const lines = raw.split('\n');
+  const out = [];
+  const seen = new Set();
+  for (const rule of FINDINGS) {
+    if (rule.fileSafe && rule.fileSafe.test(code)) continue;
+    if (rule.skipBasename) {
+      const base = fp.replace(/\\/g, '/').split('/').pop() || '';
+      if (rule.skipBasename.test(base)) continue;
+    }
+    const re = new RegExp(rule.re.source, rule.re.flags);
+    let m;
+    while ((m = re.exec(code))) {
+      // Suppress self-destruct findings where the enclosing function has an
+      // owner check (modifier or require).
+      if (rule.id === 'sol-selfdestruct-unprotected') {
+        const ln = lineOf(raw, m.index);
+        if (_selfdestructHasOwnerCheck(lines, ln)) continue;
+      }
+      // Skip low-level-call when the call's return is captured.
+      if (rule.id === 'sol-call-unchecked') {
+        const ln = lineOf(raw, m.index);
+        const lineText = lines[ln - 1] || '';
+        // If the line begins with `(bool` or contains ` = ` before the call,
+        // the return is being captured — suppress.
+        if (/\(\s*bool\s+\w+\s*,/.test(lineText) || /=\s*[a-zA-Z_]\w*\s*\.\s*(?:call|send)/.test(lineText)) continue;
+      }
+      const line = lineOf(raw, m.index);
+      const id = `${rule.id}:${fp}:${line}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      out.push({
+        id, file: fp, line,
+        vuln: rule.vuln,
+        severity: rule.severity,
+        cwe: rule.cwe,
+        stride: rule.family === 'reentrancy' || rule.family === 'unchecked-low-level-call' ? 'Tampering'
+              : rule.family === 'tx-origin-auth' ? 'Spoofing'
+              : rule.family === 'integer-overflow' ? 'Tampering'
+              : rule.family === 'weak-rng' ? 'Spoofing'
+              : 'Elevation of Privilege',
+        snippet: (lines[line - 1] || '').trim().slice(0, 200),
+        remediation: rule.remediation,
+        confidence: 0.85,
+        parser: 'SOL',
+      });
+    }
+  }
+  return out;
+}