@havoc-security/scanner 0.1.0

package/.turbo/turbo-build.log

@@ -0,0 +1,4 @@
+
+> @havoc/scanner@0.1.0 build /root/projects/havoc/packages/scanner
+> tsc
+

package/.turbo/turbo-test.log

@@ -0,0 +1,22 @@
+
+> @havoc/scanner@0.1.0 test /root/projects/havoc/packages/scanner
+> vitest run
+
+
+ RUN  v2.1.9 /root/projects/havoc/packages/scanner
+
+ ✓ tests/analyzers.test.ts (75 tests) 365ms
+ ✓ tests/credential-exposure.test.ts (16 tests) 20ms
+ ✓ tests/file-upload.test.ts (11 tests) 8ms
+ ✓ tests/session-security.test.ts (14 tests) 8ms
+ ✓ tests/PrivilegeEscalationAnalyzer.test.ts (12 tests) 36ms
+ ✓ tests/EncryptionAnalyzer.test.ts (12 tests) 33ms
+ ✓ tests/RateLimitAnalyzer.test.ts (13 tests) 10ms
+ ✓ tests/scanner.test.ts (9 tests) 11ms
+ ✓ tests/types.test.ts (6 tests) 5ms
+
+ Test Files  9 passed (9)
+      Tests  168 passed (168)
+   Start at  14:40:00
+   Duration  5.50s (transform 1.25s, setup 0ms, collect 2.11s, tests 497ms, environment 3ms, prepare 886ms)
+

package/dist/analyzers/AuthorizationCoverageAnalyzer.d.ts

@@ -0,0 +1,7 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+export declare class AuthorizationCoverageAnalyzer implements Analyzer {
+    readonly name = "AuthorizationCoverageAnalyzer";
+    readonly description = "Checks that all controller action methods have authorization in place";
+    analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]>;
+}
+//# sourceMappingURL=AuthorizationCoverageAnalyzer.d.ts.map

package/dist/analyzers/AuthorizationCoverageAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthorizationCoverageAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/AuthorizationCoverageAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AA8CzF,qBAAa,6BAA8B,YAAW,QAAQ;IAC5D,QAAQ,CAAC,IAAI,mCAAiB;IAC9B,QAAQ,CAAC,WAAW,2EAA2E;IAEzF,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;CAqE7E"}

package/dist/analyzers/AuthorizationCoverageAnalyzer.js

@@ -0,0 +1,100 @@
+import { Severity } from '../types/index.js';
+// ─── Constants ────────────────────────────────────────────────────────────────
+const EXCLUDED_METHOD_NAMES = new Set([
+    '__construct', '__destruct', 'middleware', 'callAction',
+    'authorize', 'authorizeResource', 'authorizeForUser',
+]);
+const AUTHORIZATION_PATTERNS = [
+    /\$this->authorize\s*\(/,
+    /Gate::authorize\s*\(/,
+    /Gate::allows\s*\(/,
+    /Gate::denies\s*\(/,
+    /Gate::check\s*\(/,
+    /Gate::any\s*\(/,
+    /Gate::none\s*\(/,
+    /->can\s*\(/,
+    /->cannot\s*\(/,
+    /->cant\s*\(/,
+    /\$this->middleware\s*\(\s*['"]can:/,
+];
+const FORM_REQUEST_PATTERNS = [/extends\s+FormRequest/];
+const FINDING_ID = 'HAVOC-AUTH-001';
+const COVERAGE_FINDING_ID = 'HAVOC-AUTH-002';
+const ANALYZER_NAME = 'AuthorizationCoverageAnalyzer';
+function isControllerFile(path) {
+    return path.includes('Http/Controllers') || path.includes('Http\\Controllers');
+}
+function isPublicAction(method) {
+    return (method.visibility === 'public' &&
+        !EXCLUDED_METHOD_NAMES.has(method.name) &&
+        !method.name.startsWith('_'));
+}
+function hasAuthorization(method) {
+    return AUTHORIZATION_PATTERNS.some((re) => re.test(method.bodyText));
+}
+export class AuthorizationCoverageAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Checks that all controller action methods have authorization in place';
+    async analyze(files, _config) {
+        const findings = [];
+        let totalActions = 0;
+        let coveredActions = 0;
+        for (const file of files) {
+            if (!isControllerFile(file.path))
+                continue;
+            const phpFile = file;
+            if (!phpFile.classes)
+                continue;
+            const hasFormRequest = FORM_REQUEST_PATTERNS.some((re) => re.test(file.content));
+            for (const cls of phpFile.classes) {
+                for (const method of cls.methods) {
+                    if (!isPublicAction(method))
+                        continue;
+                    totalActions++;
+                    const authorized = hasAuthorization(method) || hasFormRequest;
+                    if (authorized) {
+                        coveredActions++;
+                    }
+                    else {
+                        findings.push({
+                            id: FINDING_ID,
+                            severity: Severity.High,
+                            analyzer: ANALYZER_NAME,
+                            title: `Unprotected controller action: ${cls.name}::${method.name}()`,
+                            description: `The method \`${method.name}()\` in \`${cls.name}\` does not appear to perform ` +
+                                `any authorization checks. Missing \`$this->authorize()\`, Gate checks, or ` +
+                                `policy-backed FormRequest.`,
+                            file: file.path,
+                            line: method.line,
+                            recommendation: 'Add `$this->authorize(\'action\', Model::class)` at the top of the method, ' +
+                                'or use a policy-backed FormRequest, or apply `can:permission` middleware to the route.',
+                            cwe: 'CWE-862',
+                            snippet: method.bodyText.slice(0, 200),
+                        });
+                    }
+                }
+            }
+        }
+        if (totalActions > 0) {
+            const coveragePercent = Math.round((coveredActions / totalActions) * 100);
+            const minCoverage = (_config.analyzers?.authorizationCoverage?.minCoverage ?? 80);
+            if (coveragePercent < minCoverage) {
+                findings.push({
+                    id: COVERAGE_FINDING_ID,
+                    severity: Severity.Medium,
+                    analyzer: ANALYZER_NAME,
+                    title: `Authorization coverage is ${coveragePercent}% (minimum: ${minCoverage}%)`,
+                    description: `Only ${coveredActions} of ${totalActions} controller actions have detectable ` +
+                        `authorization checks. Target coverage: ${minCoverage}%.`,
+                    file: 'app/Http/Controllers',
+                    line: 1,
+                    recommendation: 'Review unprotected controller actions and add appropriate authorization. ' +
+                        'Consider using Laravel policies for consistent authorization.',
+                    cwe: 'CWE-862',
+                });
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=AuthorizationCoverageAnalyzer.js.map

package/dist/analyzers/AuthorizationCoverageAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthorizationCoverageAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/AuthorizationCoverageAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAGzF,iFAAiF;AAEjF,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,aAAa,EAAE,YAAY,EAAE,YAAY,EAAE,YAAY;IACvD,WAAW,EAAE,mBAAmB,EAAE,kBAAkB;CACrD,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG;IAC7B,wBAAwB;IACxB,sBAAsB;IACtB,mBAAmB;IACnB,mBAAmB;IACnB,kBAAkB;IAClB,gBAAgB;IAChB,iBAAiB;IACjB,YAAY;IACZ,eAAe;IACf,aAAa;IACb,oCAAoC;CACrC,CAAC;AAEF,MAAM,qBAAqB,GAAG,CAAC,uBAAuB,CAAC,CAAC;AAExD,MAAM,UAAU,GAAG,gBAAgB,CAAC;AACpC,MAAM,mBAAmB,GAAG,gBAAgB,CAAC;AAC7C,MAAM,aAAa,GAAG,+BAA+B,CAAC;AAEtD,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;AACjF,CAAC;AAED,SAAS,cAAc,CAAC,MAAqB;IAC3C,OAAO,CACL,MAAM,CAAC,UAAU,KAAK,QAAQ;QAC9B,CAAC,qBAAqB,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC;QACvC,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAC7B,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,MAAqB;IAC7C,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,OAAO,6BAA6B;IAC/B,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,uEAAuE,CAAC;IAE/F,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,OAAoB;QACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,IAAI,cAAc,GAAG,CAAC,CAAC;QAEvB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAE3C,MAAM,OAAO,GAAG,IAAqB,CAAC;YACtC,IAAI,CAAC,OAAO,CAAC,OAAO;gBAAE,SAAS;YAE/B,MAAM,cAAc,GAAG,qBAAqB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YAEjF,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBAClC,KAAK,MAAM,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;oBACjC,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC;wBAAE,SAAS;oBACtC,YAAY,EAAE,CAAC;oBAEf,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC,IAAI,cAAc,CAAC;oBAC9D,IAAI,UAAU,EAAE,CAAC;wBACf,cAAc,EAAE,CAAC;oBACnB,CAAC;yBAAM,CAAC;wBACN,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,UAAU;4BACd,QAAQ,EAAE,QAAQ,CAAC,IAAI;4BACvB,QAAQ,EAAE,aAAa;4BACvB,KAAK,EAAE,kCAAkC,GAAG,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,IAAI;4BACrE,WAAW,EACT,gBAAgB,MAAM,CAAC,IAAI,aAAa,GAAG,CAAC,IAAI,gCAAgC;gCAChF,4EAA4E;gCAC5E,4BAA4B;4BAC9B,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,IAAI,EAAE,MAAM,CAAC,IAAI;4BACjB,cAAc,EACZ,6EAA6E;gCAC7E,wFAAwF;4BAC1F,GAAG,EAAE,SAAS;4BACd,OAAO,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;yBACvC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,cAAc,GAAG,YAAY,CAAC,GAAG,GAAG,CAAC,CAAC;YAC1E,MAAM,WAAW,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,qBAAqB,EAAE,WAAW,IAAI,EAAE,CAAC,CAAC;YAElF,IAAI,eAAe,GAAG,WAAW,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,mBAAmB;oBACvB,QAAQ,EAAE,QAAQ,CAAC,MAAM;oBACzB,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,6BAA6B,eAAe,eAAe,WAAW,IAAI;oBACjF,WAAW,EACT,QAAQ,cAAc,OAAO,YAAY,sCAAsC;wBAC/E,0CAA0C,WAAW,IAAI;oBAC3D,IAAI,EAAE,sBAAsB;oBAC5B,IAAI,EAAE,CAAC;oBACP,cAAc,EACZ,2EAA2E;wBAC3E,+DAA+D;oBACjE,GAAG,EAAE,SAAS;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/analyzers/CredentialExposureAnalyzer.d.ts

@@ -0,0 +1,11 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+export declare class CredentialExposureAnalyzer implements Analyzer {
+    readonly name = "CredentialExposureAnalyzer";
+    readonly description = "Detects hardcoded credentials, secrets, and insecure configuration exposure";
+    analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]>;
+    private checkConfigHardcodedCredentials;
+    private checkHardcodedSecrets;
+    private checkDbCredentials;
+    private checkPrivateKeys;
+}
+//# sourceMappingURL=CredentialExposureAnalyzer.d.ts.map

package/dist/analyzers/CredentialExposureAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CredentialExposureAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/CredentialExposureAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AA6EzF,qBAAa,0BAA2B,YAAW,QAAQ;IACzD,QAAQ,CAAC,IAAI,gCAAiB;IAC9B,QAAQ,CAAC,WAAW,iFAAiF;IAE/F,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAuH5E,OAAO,CAAC,+BAA+B;IA6BvC,OAAO,CAAC,qBAAqB;IA4B7B,OAAO,CAAC,kBAAkB;IAwB1B,OAAO,CAAC,gBAAgB;CAuBzB"}

package/dist/analyzers/CredentialExposureAnalyzer.js

@@ -0,0 +1,262 @@
+import { Severity } from '../types/index.js';
+// ─── Constants ────────────────────────────────────────────────────────────────
+const ANALYZER_NAME = 'CredentialExposureAnalyzer';
+const FINDING_ENV_FILE_COMMITTED = 'HAVOC-CRED-001';
+const FINDING_HARDCODED_SECRET = 'HAVOC-CRED-002';
+const FINDING_APP_DEBUG = 'HAVOC-CRED-003';
+const FINDING_APP_ENV = 'HAVOC-CRED-004';
+const FINDING_DEBUG_CONFIG = 'HAVOC-CRED-005';
+const FINDING_DB_CREDENTIALS = 'HAVOC-CRED-006';
+const FINDING_PRIVATE_KEY = 'HAVOC-CRED-007';
+const FINDING_CONFIG_HARDCODED = 'HAVOC-CRED-008';
+const SENSITIVE_CONFIG_KEYS = [
+    'password', 'secret', 'key', 'token', 'api_key', 'apikey',
+    'access_key', 'private_key', 'client_secret', 'client_id',
+    'app_id', 'app_secret', 'encryption_key', 'signing_secret',
+    'webhook_secret',
+];
+// Secret patterns
+const SECRET_PATTERNS = [
+    { pattern: /['"]sk_live_[0-9a-zA-Z]{24,}['"]/, label: 'Stripe live secret key' },
+    { pattern: /['"]pk_live_[0-9a-zA-Z]{24,}['"]/, label: 'Stripe live publishable key' },
+    { pattern: /['"]AKIA[0-9A-Z]{16}['"]/, label: 'AWS Access Key ID' },
+    { pattern: /(?:password|passwd|pwd)\s*=\s*['"][^'"]{3,}['"]/, label: 'Hardcoded password' },
+    { pattern: /(?:api_key|apikey|api_secret)\s*=\s*['"][^'"]{8,}['"]/, label: 'Hardcoded API key' },
+    { pattern: /(?:access_token|auth_token)\s*=\s*['"][^'"]{8,}['"]/, label: 'Hardcoded access token' },
+    { pattern: /ghp_[0-9a-zA-Z]{36}/, label: 'GitHub personal access token' },
+    { pattern: /xox[baprs]-[0-9a-zA-Z-]{10,}/, label: 'Slack token' },
+];
+const DB_CREDENTIAL_PATTERNS = [
+    /new\s+PDO\s*\(\s*['"][^'"]+['"],\s*['"][^'"]+['"],\s*['"][^'"]{3,}['"]/,
+    /mysqli_connect\s*\([^)]*,\s*['"][^'"]+['"],\s*['"][^'"]{3,}['"]/,
+];
+const PRIVATE_KEY_PATTERNS = [
+    { pattern: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/, label: 'Private key (PEM)' },
+    { pattern: /'jwt_secret'\s*=>\s*'[^']{16,}'/, label: 'JWT secret in config' },
+];
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+function isPhpFile(path) {
+    return path.endsWith('.php') && !path.endsWith('.blade.php');
+}
+function isEnvFile(path) {
+    const filename = path.split('/').pop() ?? '';
+    return filename === '.env' || /^\.env\.[a-z]+$/.test(filename);
+}
+function isProductionEnvConfig(path) {
+    return /\.env\.(production|prod|staging|live)/.test(path);
+}
+function isLocalEnvFile(path) {
+    return /\.env\.(local|testing|test|development|dev)/.test(path) || path === '.env.example';
+}
+function isAppConfig(path) {
+    return path === 'config/app.php' || path.endsWith('/config/app.php');
+}
+function isConfigFile(path) {
+    return /(?:^|\/)config\/[^/]+\.php$/.test(path);
+}
+function findLineNumber(content, matchIndex) {
+    return content.slice(0, matchIndex).split('\n').length;
+}
+// ─── Analyzer ─────────────────────────────────────────────────────────────────
+export class CredentialExposureAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Detects hardcoded credentials, secrets, and insecure configuration exposure';
+    async analyze(files, _config) {
+        const findings = [];
+        for (const file of files) {
+            // 1. .env files committed to the repo
+            if (isEnvFile(file.path)) {
+                findings.push({
+                    id: FINDING_ENV_FILE_COMMITTED,
+                    severity: Severity.Critical,
+                    analyzer: ANALYZER_NAME,
+                    title: '`.env` file committed to repository',
+                    description: `The file \`${file.path}\` was found in the scanned path. ` +
+                        `.env files typically contain secrets and should never be committed to version control.`,
+                    file: file.path,
+                    line: 1,
+                    recommendation: 'Add `.env` to `.gitignore`. Use `.env.example` with placeholder values instead.',
+                    cwe: 'CWE-312',
+                });
+            }
+            // 2. Hardcoded secrets in PHP source
+            if (isPhpFile(file.path)) {
+                this.checkHardcodedSecrets(file, findings);
+                this.checkDbCredentials(file, findings);
+                this.checkPrivateKeys(file, findings);
+            }
+            // 3. APP_DEBUG=true in non-local env configs
+            if (isEnvFile(file.path) && !isLocalEnvFile(file.path)) {
+                const debugIdx = file.content.search(/^APP_DEBUG\s*=\s*true/im);
+                if (debugIdx !== -1) {
+                    findings.push({
+                        id: FINDING_APP_DEBUG,
+                        severity: Severity.High,
+                        analyzer: ANALYZER_NAME,
+                        title: '`APP_DEBUG=true` in non-local environment config',
+                        description: `\`APP_DEBUG=true\` was found in \`${file.path}\`. ` +
+                            `Debug mode exposes stack traces and sensitive application internals to end users.`,
+                        file: file.path,
+                        line: findLineNumber(file.content, debugIdx),
+                        recommendation: 'Set `APP_DEBUG=false` in all non-local environment configs.',
+                        cwe: 'CWE-209',
+                        snippet: 'APP_DEBUG=true',
+                    });
+                }
+                // 4. APP_ENV=local or testing in production-looking configs
+                if (isProductionEnvConfig(file.path)) {
+                    const envMatch = /^APP_ENV\s*=\s*(local|testing)/im.exec(file.content);
+                    if (envMatch) {
+                        findings.push({
+                            id: FINDING_APP_ENV,
+                            severity: Severity.Medium,
+                            analyzer: ANALYZER_NAME,
+                            title: `\`APP_ENV=${envMatch[1]}\` in production environment config`,
+                            description: `\`APP_ENV=${envMatch[1]}\` was found in \`${file.path}\`. ` +
+                                `Production configs should use \`APP_ENV=production\`.`,
+                            file: file.path,
+                            line: findLineNumber(file.content, envMatch.index),
+                            recommendation: 'Set `APP_ENV=production` in production environment configs.',
+                            cwe: 'CWE-16',
+                            snippet: `APP_ENV=${envMatch[1]}`,
+                        });
+                    }
+                }
+            }
+            // 5. Config files with hardcoded credentials
+            if (isPhpFile(file.path) && isConfigFile(file.path)) {
+                this.checkConfigHardcodedCredentials(file, findings);
+            }
+            // 6. Verbose error display in config/app.php
+            if (isPhpFile(file.path) && isAppConfig(file.path)) {
+                const debugConfigIdx = file.content.search(/'debug'\s*=>\s*true/);
+                if (debugConfigIdx !== -1) {
+                    findings.push({
+                        id: FINDING_DEBUG_CONFIG,
+                        severity: Severity.High,
+                        analyzer: ANALYZER_NAME,
+                        title: '`debug => true` hardcoded in `config/app.php`',
+                        description: `\`'debug' => true\` is hardcoded in \`${file.path}\`. ` +
+                            `This enables debug mode regardless of the APP_DEBUG environment variable.`,
+                        file: file.path,
+                        line: findLineNumber(file.content, debugConfigIdx),
+                        recommendation: "Use `'debug' => (bool) env('APP_DEBUG', false)` to read the value from the environment.",
+                        cwe: 'CWE-209',
+                        snippet: "'debug' => true",
+                    });
+                }
+                const envHardcoded = /'env'\s*=>\s*'(local|testing)'/.exec(file.content);
+                if (envHardcoded) {
+                    findings.push({
+                        id: FINDING_APP_ENV,
+                        severity: Severity.Medium,
+                        analyzer: ANALYZER_NAME,
+                        title: `\`'env' => '${envHardcoded[1]}'\` hardcoded in \`config/app.php\``,
+                        description: `The application environment is hardcoded as \`${envHardcoded[1]}\` in \`${file.path}\`. `,
+                        file: file.path,
+                        line: findLineNumber(file.content, envHardcoded.index),
+                        recommendation: "Use `'env' => env('APP_ENV', 'production')` to read from the environment.",
+                        cwe: 'CWE-16',
+                        snippet: `'env' => '${envHardcoded[1]}'`,
+                    });
+                }
+            }
+        }
+        return findings;
+    }
+    checkConfigHardcodedCredentials(file, findings) {
+        for (const key of SENSITIVE_CONFIG_KEYS) {
+            const regex = new RegExp(`['"]\\b${key}\\b['"]\\s*=>\\s*'([^']{3,})'`, 'gi');
+            let match;
+            while ((match = regex.exec(file.content)) !== null) {
+                const value = match[1];
+                if (/^(null|true|false|your-|xxx|placeholder|changeme)/i.test(value))
+                    continue;
+                const before = file.content.slice(Math.max(0, match.index - 80), match.index);
+                if (/env\s*\([^)]*,\s*$/.test(before))
+                    continue;
+                findings.push({
+                    id: FINDING_CONFIG_HARDCODED,
+                    severity: Severity.High,
+                    analyzer: ANALYZER_NAME,
+                    title: `Hardcoded \`${key}\` in config file \`${file.path}\``,
+                    description: `The config key \`${key}\` in \`${file.path}\` has a hardcoded value instead of ` +
+                        `using \`env()\`. Credentials in source control are exposed to anyone with repo access.`,
+                    file: file.path,
+                    line: findLineNumber(file.content, match.index),
+                    recommendation: `Use \`'${key}' => env('${key.toUpperCase()}')\` to read from environment variables.`,
+                    cwe: 'CWE-798',
+                    snippet: match[0].slice(0, 60),
+                });
+            }
+        }
+    }
+    checkHardcodedSecrets(file, findings) {
+        for (const { pattern, label } of SECRET_PATTERNS) {
+            const regex = new RegExp(pattern.source, 'g');
+            let match;
+            while ((match = regex.exec(file.content)) !== null) {
+                // Skip if value comes from env() call
+                const before = file.content.slice(Math.max(0, match.index - 40), match.index);
+                if (/env\s*\(/.test(before))
+                    continue;
+                findings.push({
+                    id: FINDING_HARDCODED_SECRET,
+                    severity: Severity.Critical,
+                    analyzer: ANALYZER_NAME,
+                    title: `Hardcoded ${label} detected`,
+                    description: `A ${label} appears to be hardcoded in \`${file.path}\`. ` +
+                        `Hardcoded credentials can be extracted from source code and version control history.`,
+                    file: file.path,
+                    line: findLineNumber(file.content, match.index),
+                    recommendation: 'Store secrets in environment variables and access them via `env()`. Never commit secrets to source control.',
+                    cwe: 'CWE-798',
+                    snippet: match[0].slice(0, 60),
+                });
+            }
+        }
+    }
+    checkDbCredentials(file, findings) {
+        for (const pattern of DB_CREDENTIAL_PATTERNS) {
+            const regex = new RegExp(pattern.source, 'gs');
+            let match;
+            while ((match = regex.exec(file.content)) !== null) {
+                findings.push({
+                    id: FINDING_DB_CREDENTIALS,
+                    severity: Severity.Critical,
+                    analyzer: ANALYZER_NAME,
+                    title: 'Database credentials hardcoded in source',
+                    description: `Database credentials appear to be hardcoded in \`${file.path}\`. ` +
+                        `This exposes credentials to anyone with read access to the source code.`,
+                    file: file.path,
+                    line: findLineNumber(file.content, match.index),
+                    recommendation: 'Use environment variables for database credentials: `DB_HOST`, `DB_USERNAME`, `DB_PASSWORD`.',
+                    cwe: 'CWE-312',
+                    snippet: match[0].slice(0, 60),
+                });
+            }
+        }
+    }
+    checkPrivateKeys(file, findings) {
+        for (const { pattern, label } of PRIVATE_KEY_PATTERNS) {
+            const regex = new RegExp(pattern.source, 'g');
+            let match;
+            while ((match = regex.exec(file.content)) !== null) {
+                findings.push({
+                    id: FINDING_PRIVATE_KEY,
+                    severity: Severity.Critical,
+                    analyzer: ANALYZER_NAME,
+                    title: `${label} found inline in source code`,
+                    description: `A ${label} was found inline in \`${file.path}\`. ` +
+                        `Private keys and JWT secrets must never be stored in source code.`,
+                    file: file.path,
+                    line: findLineNumber(file.content, match.index),
+                    recommendation: 'Store private keys in environment variables or a secrets manager. Never commit them to source control.',
+                    cwe: 'CWE-321',
+                    snippet: match[0].slice(0, 60),
+                });
+            }
+        }
+    }
+}
+//# sourceMappingURL=CredentialExposureAnalyzer.js.map

package/dist/analyzers/CredentialExposureAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"CredentialExposureAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/CredentialExposureAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAEzF,iFAAiF;AAEjF,MAAM,aAAa,GAAG,4BAA4B,CAAC;AAEnD,MAAM,0BAA0B,GAAG,gBAAgB,CAAC;AACpD,MAAM,wBAAwB,GAAG,gBAAgB,CAAC;AAClD,MAAM,iBAAiB,GAAG,gBAAgB,CAAC;AAC3C,MAAM,eAAe,GAAG,gBAAgB,CAAC;AACzC,MAAM,oBAAoB,GAAG,gBAAgB,CAAC;AAC9C,MAAM,sBAAsB,GAAG,gBAAgB,CAAC;AAChD,MAAM,mBAAmB,GAAG,gBAAgB,CAAC;AAC7C,MAAM,wBAAwB,GAAG,gBAAgB,CAAC;AAElD,MAAM,qBAAqB,GAAG;IAC5B,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ;IACzD,YAAY,EAAE,aAAa,EAAE,eAAe,EAAE,WAAW;IACzD,QAAQ,EAAE,YAAY,EAAE,gBAAgB,EAAE,gBAAgB;IAC1D,gBAAgB;CACjB,CAAC;AAEF,kBAAkB;AAClB,MAAM,eAAe,GAA8C;IACjE,EAAE,OAAO,EAAE,kCAAkC,EAAE,KAAK,EAAE,wBAAwB,EAAE;IAChF,EAAE,OAAO,EAAE,kCAAkC,EAAE,KAAK,EAAE,6BAA6B,EAAE;IACrF,EAAE,OAAO,EAAE,0BAA0B,EAAE,KAAK,EAAE,mBAAmB,EAAE;IACnE,EAAE,OAAO,EAAE,iDAAiD,EAAE,KAAK,EAAE,oBAAoB,EAAE;IAC3F,EAAE,OAAO,EAAE,uDAAuD,EAAE,KAAK,EAAE,mBAAmB,EAAE;IAChG,EAAE,OAAO,EAAE,qDAAqD,EAAE,KAAK,EAAE,wBAAwB,EAAE;IACnG,EAAE,OAAO,EAAE,qBAAqB,EAAE,KAAK,EAAE,8BAA8B,EAAE;IACzE,EAAE,OAAO,EAAE,8BAA8B,EAAE,KAAK,EAAE,aAAa,EAAE;CAClE,CAAC;AAEF,MAAM,sBAAsB,GAAkB;IAC5C,wEAAwE;IACxE,iEAAiE;CAClE,CAAC;AAEF,MAAM,oBAAoB,GAA8C;IACtE,EAAE,OAAO,EAAE,mDAAmD,EAAE,KAAK,EAAE,mBAAmB,EAAE;IAC5F,EAAE,OAAO,EAAE,iCAAiC,EAAE,KAAK,EAAE,sBAAsB,EAAE;CAC9E,CAAC;AAEF,gFAAgF;AAEhF,SAAS,SAAS,CAAC,IAAY;IAC7B,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;IAC7C,OAAO,QAAQ,KAAK,MAAM,IAAI,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACjE,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY;IACzC,OAAO,uCAAuC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,6CAA6C,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,KAAK,cAAc,CAAC;AAC7F,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,OAAO,6BAA6B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAClD,CAAC;AAED,SAAS,cAAc,CAAC,OAAe,EAAE,UAAkB;IACzD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;AACzD,CAAC;AAED,iFAAiF;AAEjF,MAAM,OAAO,0BAA0B;IAC5B,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,6EAA6E,CAAC;IAErG,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,OAAoB;QACrD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,sCAAsC;YACtC,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,0BAA0B;oBAC9B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,qCAAqC;oBAC5C,WAAW,EACT,cAAc,IAAI,CAAC,IAAI,oCAAoC;wBAC3D,wFAAwF;oBAC1F,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,CAAC;oBACP,cAAc,EACZ,iFAAiF;oBACnF,GAAG,EAAE,SAAS;iBACf,CAAC,CAAC;YACL,CAAC;YAED,qCAAqC;YACrC,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzB,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;gBAC3C,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;gBACxC,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YACxC,CAAC;YAED,6CAA6C;YAC7C,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC;gBAChE,IAAI,QAAQ,KAAK,CAAC,CAAC,EAAE,CAAC;oBACpB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,iBAAiB;wBACrB,QAAQ,EAAE,QAAQ,CAAC,IAAI;wBACvB,QAAQ,EAAE,aAAa;wBACvB,KAAK,EAAE,kDAAkD;wBACzD,WAAW,EACT,qCAAqC,IAAI,CAAC,IAAI,MAAM;4BACpD,mFAAmF;wBACrF,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC;wBAC5C,cAAc,EAAE,6DAA6D;wBAC7E,GAAG,EAAE,SAAS;wBACd,OAAO,EAAE,gBAAgB;qBAC1B,CAAC,CAAC;gBACL,CAAC;gBAED,4DAA4D;gBAC5D,IAAI,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACrC,MAAM,QAAQ,GAAG,kCAAkC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBACvE,IAAI,QAAQ,EAAE,CAAC;wBACb,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,eAAe;4BACnB,QAAQ,EAAE,QAAQ,CAAC,MAAM;4BACzB,QAAQ,EAAE,aAAa;4BACvB,KAAK,EAAE,aAAa,QAAQ,CAAC,CAAC,CAAC,qCAAqC;4BACpE,WAAW,EACT,aAAa,QAAQ,CAAC,CAAC,CAAC,qBAAqB,IAAI,CAAC,IAAI,MAAM;gCAC5D,uDAAuD;4BACzD,IAAI,EAAE,IAAI,CAAC,IAAI;4BACf,IAAI,EAAE,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,KAAK,CAAC;4BAClD,cAAc,EAAE,6DAA6D;4BAC7E,GAAG,EAAE,QAAQ;4BACb,OAAO,EAAE,WAAW,QAAQ,CAAC,CAAC,CAAC,EAAE;yBAClC,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,6CAA6C;YAC7C,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpD,IAAI,CAAC,+BAA+B,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YACvD,CAAC;YAED,6CAA6C;YAC7C,IAAI,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnD,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;gBAClE,IAAI,cAAc,KAAK,CAAC,CAAC,EAAE,CAAC;oBAC1B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,oBAAoB;wBACxB,QAAQ,EAAE,QAAQ,CAAC,IAAI;wBACvB,QAAQ,EAAE,aAAa;wBACvB,KAAK,EAAE,+CAA+C;wBACtD,WAAW,EACT,yCAAyC,IAAI,CAAC,IAAI,MAAM;4BACxD,2EAA2E;wBAC7E,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC;wBAClD,cAAc,EACZ,yFAAyF;wBAC3F,GAAG,EAAE,SAAS;wBACd,OAAO,EAAE,iBAAiB;qBAC3B,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,YAAY,GAAG,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzE,IAAI,YAAY,EAAE,CAAC;oBACjB,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,eAAe;wBACnB,QAAQ,EAAE,QAAQ,CAAC,MAAM;wBACzB,QAAQ,EAAE,aAAa;wBACvB,KAAK,EAAE,eAAe,YAAY,CAAC,CAAC,CAAC,qCAAqC;wBAC1E,WAAW,EACT,iDAAiD,YAAY,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,IAAI,MAAM;wBAC5F,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,KAAK,CAAC;wBACtD,cAAc,EAAE,2EAA2E;wBAC3F,GAAG,EAAE,QAAQ;wBACb,OAAO,EAAE,aAAa,YAAY,CAAC,CAAC,CAAC,GAAG;qBACzC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,+BAA+B,CAAC,IAAgB,EAAE,QAAmB;QAC3E,KAAK,MAAM,GAAG,IAAI,qBAAqB,EAAE,CAAC;YACxC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,UAAU,GAAG,+BAA+B,EAAE,IAAI,CAAC,CAAC;YAC7E,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACnD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACvB,IAAI,oDAAoD,CAAC,IAAI,CAAC,KAAK,CAAC;oBAAE,SAAS;gBAC/E,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC9E,IAAI,oBAAoB,CAAC,IAAI,CAAC,MAAM,CAAC;oBAAE,SAAS;gBAEhD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,wBAAwB;oBAC5B,QAAQ,EAAE,QAAQ,CAAC,IAAI;oBACvB,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,eAAe,GAAG,uBAAuB,IAAI,CAAC,IAAI,IAAI;oBAC7D,WAAW,EACT,oBAAoB,GAAG,WAAW,IAAI,CAAC,IAAI,sCAAsC;wBACjF,wFAAwF;oBAC1F,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;oBAC/C,cAAc,EACZ,UAAU,GAAG,aAAa,GAAG,CAAC,WAAW,EAAE,0CAA0C;oBACvF,GAAG,EAAE,SAAS;oBACd,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAEO,qBAAqB,CAAC,IAAgB,EAAE,QAAmB;QACjE,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,eAAe,EAAE,CAAC;YACjD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAC9C,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACnD,sCAAsC;gBACtC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC9E,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC;oBAAE,SAAS;gBAEtC,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,wBAAwB;oBAC5B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,aAAa,KAAK,WAAW;oBACpC,WAAW,EACT,KAAK,KAAK,iCAAiC,IAAI,CAAC,IAAI,MAAM;wBAC1D,sFAAsF;oBACxF,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;oBAC/C,cAAc,EACZ,6GAA6G;oBAC/G,GAAG,EAAE,SAAS;oBACd,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAEO,kBAAkB,CAAC,IAAgB,EAAE,QAAmB;QAC9D,KAAK,MAAM,OAAO,IAAI,sBAAsB,EAAE,CAAC;YAC7C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;YAC/C,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACnD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,sBAAsB;oBAC1B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,0CAA0C;oBACjD,WAAW,EACT,oDAAoD,IAAI,CAAC,IAAI,MAAM;wBACnE,yEAAyE;oBAC3E,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;oBAC/C,cAAc,EACZ,8FAA8F;oBAChG,GAAG,EAAE,SAAS;oBACd,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,IAAgB,EAAE,QAAmB;QAC5D,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,oBAAoB,EAAE,CAAC;YACtD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;YAC9C,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACnD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,mBAAmB;oBACvB,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,GAAG,KAAK,8BAA8B;oBAC7C,WAAW,EACT,KAAK,KAAK,0BAA0B,IAAI,CAAC,IAAI,MAAM;wBACnD,mEAAmE;oBACrE,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;oBAC/C,cAAc,EACZ,wGAAwG;oBAC1G,GAAG,EAAE,SAAS;oBACd,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBAC/B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;CACF"}

package/dist/analyzers/DependencyAuditAnalyzer.d.ts

@@ -0,0 +1,28 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+interface ComposerAdvisory {
+    advisoryId: string;
+    packageName: string;
+    title: string;
+    link: string;
+    cve: string | null;
+    severity: string;
+    affectedVersions: string;
+    sources: {
+        name: string;
+        remoteId: string;
+    }[];
+    reportedAt: string;
+}
+interface ComposerAuditResult {
+    advisories: Record<string, ComposerAdvisory[]>;
+    abandoned: Record<string, string>;
+}
+export declare class DependencyAuditAnalyzer implements Analyzer {
+    readonly name = "DependencyAuditAnalyzer";
+    readonly description = "Audits composer.json for known vulnerable PHP dependencies";
+    private readonly composerRunner;
+    constructor(composerRunner?: (projectPath: string) => Promise<ComposerAuditResult | null>);
+    analyze(files: ParsedFile[], config: HavocConfig): Promise<Finding[]>;
+}
+export {};
+//# sourceMappingURL=DependencyAuditAnalyzer.d.ts.map

package/dist/analyzers/DependencyAuditAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"DependencyAuditAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/DependencyAuditAnalyzer.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AAiBzF,UAAU,gBAAgB;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,MAAM,CAAC;IACzB,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAC9C,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,mBAAmB;IAC3B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;IAC/C,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACnC;AAMD,qBAAa,uBAAwB,YAAW,QAAQ;IACtD,QAAQ,CAAC,IAAI,6BAAiB;IAC9B,QAAQ,CAAC,WAAW,gEAAgE;IAEpF,OAAO,CAAC,QAAQ,CAAC,cAAc,CAA+D;gBAElF,cAAc,CAAC,EAAE,CAAC,WAAW,EAAE,MAAM,KAAK,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAInF,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;CA6D5E"}

package/dist/analyzers/DependencyAuditAnalyzer.js

@@ -0,0 +1,107 @@
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { Severity } from '../types/index.js';
+const execFileAsync = promisify(execFile);
+const FINDING_VULNERABLE_DEP = 'HAVOC-DEP-001';
+const FINDING_COMPOSER_UNAVAILABLE = 'HAVOC-DEP-002';
+const ANALYZER_NAME = 'DependencyAuditAnalyzer';
+const SEVERITY_MAP = {
+    critical: Severity.Critical,
+    high: Severity.High,
+    medium: Severity.Medium,
+    moderate: Severity.Medium,
+    low: Severity.Low,
+    info: Severity.Info,
+};
+function mapSeverity(severity) {
+    return SEVERITY_MAP[severity.toLowerCase()] ?? Severity.Medium;
+}
+export class DependencyAuditAnalyzer {
+    name = ANALYZER_NAME;
+    description = 'Audits composer.json for known vulnerable PHP dependencies';
+    composerRunner;
+    constructor(composerRunner) {
+        this.composerRunner = composerRunner ?? defaultComposerRunner;
+    }
+    async analyze(files, config) {
+        const findings = [];
+        const composerFile = files.find((f) => f.path === 'composer.json' || f.path.endsWith('/composer.json'));
+        if (!composerFile)
+            return findings;
+        const projectRoot = config.projectRoot ?? '.';
+        try {
+            const auditResult = await this.composerRunner(projectRoot);
+            if (!auditResult) {
+                findings.push({
+                    id: FINDING_COMPOSER_UNAVAILABLE,
+                    severity: Severity.Info,
+                    analyzer: ANALYZER_NAME,
+                    title: 'composer audit unavailable — dependency check skipped',
+                    description: '`composer` is not available in PATH or does not support the `audit` command (requires Composer 2.4+).',
+                    file: composerFile.path,
+                    line: 1,
+                    recommendation: 'Install Composer 2.4+ and run `composer audit` manually.',
+                    cwe: 'CWE-1104',
+                });
+                return findings;
+            }
+            for (const [packageName, advisories] of Object.entries(auditResult.advisories)) {
+                for (const advisory of advisories) {
+                    findings.push({
+                        id: FINDING_VULNERABLE_DEP,
+                        severity: mapSeverity(advisory.severity),
+                        analyzer: ANALYZER_NAME,
+                        title: `Vulnerable dependency: ${packageName} — ${advisory.title}`,
+                        description: `Package \`${packageName}\` has a known vulnerability: ${advisory.title}. ` +
+                            (advisory.cve ? `CVE: ${advisory.cve}. ` : '') +
+                            `Affected versions: ${advisory.affectedVersions}.`,
+                        file: 'composer.json',
+                        line: 1,
+                        recommendation: `Update \`${packageName}\` to a patched version. See: ${advisory.link}`,
+                        cwe: advisory.cve ? `CVE: ${advisory.cve}` : 'CWE-1104',
+                        snippet: `"${packageName}": "${advisory.affectedVersions}"`,
+                    });
+                }
+            }
+        }
+        catch (err) {
+            findings.push({
+                id: FINDING_COMPOSER_UNAVAILABLE,
+                severity: Severity.Info,
+                analyzer: ANALYZER_NAME,
+                title: 'composer audit failed — dependency check skipped',
+                description: `composer audit returned an error: ${err.message}`,
+                file: composerFile.path,
+                line: 1,
+                recommendation: 'Ensure composer is installed and `composer.lock` is present.',
+                cwe: 'CWE-1104',
+            });
+        }
+        return findings;
+    }
+}
+async function defaultComposerRunner(projectPath) {
+    const composerLock = resolve(projectPath, 'composer.lock');
+    if (!existsSync(composerLock))
+        return null;
+    try {
+        const { stdout } = await execFileAsync('composer', ['audit', '--format=json', '--no-interaction'], {
+            cwd: projectPath,
+            timeout: 30_000,
+        });
+        return JSON.parse(stdout);
+    }
+    catch (err) {
+        const error = err;
+        if (error.stdout) {
+            try {
+                return JSON.parse(error.stdout);
+            }
+            catch { /* not JSON */ }
+        }
+        return null;
+    }
+}
+//# sourceMappingURL=DependencyAuditAnalyzer.js.map

package/dist/analyzers/DependencyAuditAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"DependencyAuditAnalyzer.js","sourceRoot":"","sources":["../../src/analyzers/DependencyAuditAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAA8C,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAEzF,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,sBAAsB,GAAG,eAAe,CAAC;AAC/C,MAAM,4BAA4B,GAAG,eAAe,CAAC;AACrD,MAAM,aAAa,GAAG,yBAAyB,CAAC;AAEhD,MAAM,YAAY,GAA6B;IAC7C,QAAQ,EAAE,QAAQ,CAAC,QAAQ;IAC3B,IAAI,EAAE,QAAQ,CAAC,IAAI;IACnB,MAAM,EAAE,QAAQ,CAAC,MAAM;IACvB,QAAQ,EAAE,QAAQ,CAAC,MAAM;IACzB,GAAG,EAAE,QAAQ,CAAC,GAAG;IACjB,IAAI,EAAE,QAAQ,CAAC,IAAI;CACpB,CAAC;AAmBF,SAAS,WAAW,CAAC,QAAgB;IACnC,OAAO,YAAY,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,IAAI,QAAQ,CAAC,MAAM,CAAC;AACjE,CAAC;AAED,MAAM,OAAO,uBAAuB;IACzB,IAAI,GAAG,aAAa,CAAC;IACrB,WAAW,GAAG,4DAA4D,CAAC;IAEnE,cAAc,CAA+D;IAE9F,YAAY,cAA6E;QACvF,IAAI,CAAC,cAAc,GAAG,cAAc,IAAI,qBAAqB,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,KAAmB,EAAE,MAAmB;QACpD,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;QACxG,IAAI,CAAC,YAAY;YAAE,OAAO,QAAQ,CAAC;QAEnC,MAAM,WAAW,GAAI,MAAiD,CAAC,WAAW,IAAI,GAAG,CAAC;QAE1F,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC;YAC3D,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,4BAA4B;oBAChC,QAAQ,EAAE,QAAQ,CAAC,IAAI;oBACvB,QAAQ,EAAE,aAAa;oBACvB,KAAK,EAAE,uDAAuD;oBAC9D,WAAW,EACT,uGAAuG;oBACzG,IAAI,EAAE,YAAY,CAAC,IAAI;oBACvB,IAAI,EAAE,CAAC;oBACP,cAAc,EAAE,0DAA0D;oBAC1E,GAAG,EAAE,UAAU;iBAChB,CAAC,CAAC;gBACH,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,KAAK,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC/E,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;oBAClC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,sBAAsB;wBAC1B,QAAQ,EAAE,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC;wBACxC,QAAQ,EAAE,aAAa;wBACvB,KAAK,EAAE,0BAA0B,WAAW,MAAM,QAAQ,CAAC,KAAK,EAAE;wBAClE,WAAW,EACT,aAAa,WAAW,iCAAiC,QAAQ,CAAC,KAAK,IAAI;4BAC3E,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;4BAC9C,sBAAsB,QAAQ,CAAC,gBAAgB,GAAG;wBACpD,IAAI,EAAE,eAAe;wBACrB,IAAI,EAAE,CAAC;wBACP,cAAc,EAAE,YAAY,WAAW,iCAAiC,QAAQ,CAAC,IAAI,EAAE;wBACvF,GAAG,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,QAAQ,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,UAAU;wBACvD,OAAO,EAAE,IAAI,WAAW,OAAO,QAAQ,CAAC,gBAAgB,GAAG;qBAC5D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,4BAA4B;gBAChC,QAAQ,EAAE,QAAQ,CAAC,IAAI;gBACvB,QAAQ,EAAE,aAAa;gBACvB,KAAK,EAAE,kDAAkD;gBACzD,WAAW,EAAE,qCAAsC,GAAa,CAAC,OAAO,EAAE;gBAC1E,IAAI,EAAE,YAAY,CAAC,IAAI;gBACvB,IAAI,EAAE,CAAC;gBACP,cAAc,EAAE,8DAA8D;gBAC9E,GAAG,EAAE,UAAU;aAChB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAED,KAAK,UAAU,qBAAqB,CAAC,WAAmB;IACtD,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;IAC3D,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO,IAAI,CAAC;IAE3C,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE,CAAC,OAAO,EAAE,eAAe,EAAE,kBAAkB,CAAC,EAAE;YACjG,GAAG,EAAE,WAAW;YAChB,OAAO,EAAE,MAAM;SAChB,CAAC,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAwB,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,KAAK,GAAG,GAAyC,CAAC;QACxD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAwB,CAAC;YACzD,CAAC;YAAC,MAAM,CAAC,CAAC,cAAc,CAAC,CAAC;QAC5B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/analyzers/EncryptionAnalyzer.d.ts

@@ -0,0 +1,7 @@
+import { Analyzer, Finding, HavocConfig, ParsedFile } from '../types/index.js';
+export declare class EncryptionAnalyzer implements Analyzer {
+    readonly name = "EncryptionAnalyzer";
+    readonly description = "Detects sensitive model attributes missing encryption casts and other encryption issues";
+    analyze(files: ParsedFile[], _config: HavocConfig): Promise<Finding[]>;
+}
+//# sourceMappingURL=EncryptionAnalyzer.d.ts.map

package/dist/analyzers/EncryptionAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"EncryptionAnalyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/EncryptionAnalyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,EAAY,MAAM,mBAAmB,CAAC;AAiEzF,qBAAa,kBAAmB,YAAW,QAAQ;IACjD,QAAQ,CAAC,IAAI,wBAAiB;IAC9B,QAAQ,CAAC,WAAW,6FACwE;IAEtF,OAAO,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;CA4H7E"}