@havoc-security/scanner 0.1.0

package/tests/analyzers.test.ts

@@ -0,0 +1,678 @@
+import { describe, it, expect } from 'vitest';
+import { readFile } from 'node:fs/promises';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import {
+  AuthorizationCoverageAnalyzer,
+  MassAssignmentAnalyzer,
+  XssSurfaceAnalyzer,
+  SqlInjectionAnalyzer,
+  DependencyAuditAnalyzer,
+  IdorAnalyzer,
+  CredentialExposureAnalyzer,
+  SessionSecurityAnalyzer,
+  FileUploadAnalyzer,
+} from '../src/analyzers/index.js';
+import { DEFAULT_CONFIG } from '../src/index.js';
+import { PhpParser } from '../src/parsers/PhpParser.js';
+import type { ParsedFile } from '../src/types/index.js';
+import { Severity } from '../src/types/index.js';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const FIXTURES = resolve(__dirname, 'fixtures');
+
+async function fixtureFile(relativePath: string): Promise<ParsedFile> {
+  const absPath = resolve(FIXTURES, relativePath);
+  const content = await readFile(absPath, 'utf-8');
+  return { path: relativePath, content, ast: null };
+}
+
+async function parsedFixture(relativePath: string) {
+  const parser = new PhpParser();
+  const absPath = resolve(FIXTURES, relativePath);
+  return parser.parseFile(absPath, FIXTURES);
+}
+
+// ─── Analyzer interface conformance ──────────────────────────────────────────
+
+describe('Analyzer interface conformance', () => {
+  const ALL_ANALYZERS = [
+    new AuthorizationCoverageAnalyzer(),
+    new MassAssignmentAnalyzer(),
+    new XssSurfaceAnalyzer(),
+    new SqlInjectionAnalyzer(),
+    new DependencyAuditAnalyzer(),
+    new IdorAnalyzer(),
+    new CredentialExposureAnalyzer(),
+    new SessionSecurityAnalyzer(),
+    new FileUploadAnalyzer(),
+  ];
+
+  it('all analyzers have a non-empty name string', () => {
+    for (const a of ALL_ANALYZERS) {
+      expect(typeof a.name).toBe('string');
+      expect(a.name.length).toBeGreaterThan(0);
+    }
+  });
+
+  it('all analyzers have a non-empty description string', () => {
+    for (const a of ALL_ANALYZERS) {
+      expect(typeof a.description).toBe('string');
+      expect(a.description.length).toBeGreaterThan(0);
+    }
+  });
+
+  it('all analyzers return an array for empty file input', async () => {
+    for (const a of ALL_ANALYZERS) {
+      const result = await a.analyze([], DEFAULT_CONFIG);
+      expect(Array.isArray(result)).toBe(true);
+    }
+  });
+
+  it('all analyzers return empty array for empty file list', async () => {
+    for (const a of ALL_ANALYZERS) {
+      const result = await a.analyze([], DEFAULT_CONFIG);
+      expect(result).toHaveLength(0);
+    }
+  });
+
+  it('AuthorizationCoverageAnalyzer name is AuthorizationCoverageAnalyzer', () => {
+    expect(new AuthorizationCoverageAnalyzer().name).toBe('AuthorizationCoverageAnalyzer');
+  });
+
+  it('MassAssignmentAnalyzer name is MassAssignmentAnalyzer', () => {
+    expect(new MassAssignmentAnalyzer().name).toBe('MassAssignmentAnalyzer');
+  });
+
+  it('XssSurfaceAnalyzer name is XssSurfaceAnalyzer', () => {
+    expect(new XssSurfaceAnalyzer().name).toBe('XssSurfaceAnalyzer');
+  });
+
+  it('SqlInjectionAnalyzer name is SqlInjectionAnalyzer', () => {
+    expect(new SqlInjectionAnalyzer().name).toBe('SqlInjectionAnalyzer');
+  });
+
+  it('DependencyAuditAnalyzer name is DependencyAuditAnalyzer', () => {
+    expect(new DependencyAuditAnalyzer().name).toBe('DependencyAuditAnalyzer');
+  });
+
+  it('IdorAnalyzer name is IdorAnalyzer', () => {
+    expect(new IdorAnalyzer().name).toBe('IdorAnalyzer');
+  });
+});
+
+// ─── PhpParser tests ──────────────────────────────────────────────────────────
+
+describe('PhpParser', () => {
+  it('parses a PHP file and returns a ParsedPhpFile', async () => {
+    const result = await parsedFixture('app/Http/Controllers/PostController.php');
+    expect(result.path).toContain('PostController.php');
+    expect(result.content.length).toBeGreaterThan(0);
+    expect(result.classes).toBeDefined();
+  });
+
+  it('extracts class name from a controller', async () => {
+    const result = await parsedFixture('app/Http/Controllers/PostController.php');
+    expect(result.classes.length).toBeGreaterThan(0);
+    expect(result.classes[0].name).toBe('PostController');
+  });
+
+  it('extracts public methods from a controller', async () => {
+    const result = await parsedFixture('app/Http/Controllers/PostController.php');
+    const cls = result.classes[0];
+    const methodNames = cls.methods.map((m) => m.name);
+    expect(methodNames).toContain('index');
+    expect(methodNames).toContain('store');
+    expect(methodNames).toContain('destroy');
+  });
+
+  it('marks methods with correct visibility', async () => {
+    const result = await parsedFixture('app/Http/Controllers/PostController.php');
+    const cls = result.classes[0];
+    const storeMethod = cls.methods.find((m) => m.name === 'store');
+    expect(storeMethod?.visibility).toBe('public');
+    const protectedMethod = cls.methods.find((m) => m.name === 'someProtectedMethod');
+    expect(protectedMethod?.visibility).toBe('protected');
+  });
+
+  it('extracts model properties ($fillable)', async () => {
+    const result = await parsedFixture('app/Models/User.php');
+    const cls = result.classes[0];
+    expect(cls.name).toBe('User');
+    const fillable = cls.properties.find((p) => p.name === 'fillable');
+    expect(fillable).toBeDefined();
+  });
+
+  it('fillable initializer includes field names', async () => {
+    const result = await parsedFixture('app/Models/User.php');
+    const cls = result.classes[0];
+    const fillable = cls.properties.find((p) => p.name === 'fillable');
+    expect(fillable?.initializer).toContain('name');
+    expect(fillable?.initializer).toContain('email');
+  });
+
+  it('extracts namespace from PHP file', async () => {
+    const result = await parsedFixture('app/Models/User.php');
+    expect(result.namespace).toBe('App\\Models');
+  });
+
+  it('extracts use statements (imports)', async () => {
+    const result = await parsedFixture('app/Http/Controllers/PostController.php');
+    expect(result.useStatements).toBeDefined();
+    expect(Array.isArray(result.useStatements)).toBe(true);
+  });
+
+  it('returns array for route file (procedural)', async () => {
+    const result = await parsedFixture('routes/web.php');
+    expect(Array.isArray(result.classes)).toBe(true);
+  });
+
+  it('handles parse errors gracefully (no throw)', async () => {
+    const parser = new PhpParser();
+    const badFile = resolve(FIXTURES, 'app/Http/Controllers/PostController.php');
+    const result = await parser.parseFile(badFile, FIXTURES);
+    expect(result).toBeDefined();
+  });
+
+  it('extracts method body text', async () => {
+    const result = await parsedFixture('app/Http/Controllers/PostController.php');
+    const cls = result.classes[0];
+    const storeMethod = cls.methods.find((m) => m.name === 'store');
+    expect(typeof storeMethod?.bodyText).toBe('string');
+  });
+
+  it('extracts parent class name', async () => {
+    const result = await parsedFixture('app/Http/Controllers/PostController.php');
+    const cls = result.classes[0];
+    expect(cls.parent).toBe('Controller');
+  });
+
+  it('model with no fillable has no properties', async () => {
+    const result = await parsedFixture('app/Models/Comment.php');
+    const cls = result.classes[0];
+    expect(cls.name).toBe('Comment');
+    const fillable = cls.properties.find((p) => p.name === 'fillable');
+    expect(fillable).toBeUndefined();
+  });
+});
+
+// ─── AuthorizationCoverageAnalyzer ───────────────────────────────────────────
+
+describe('AuthorizationCoverageAnalyzer', () => {
+  it('does not flag non-controller files', async () => {
+    const file = await parsedFixture('app/Models/User.php');
+    const analyzer = new AuthorizationCoverageAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('flags unprotected controller actions', async () => {
+    const file = await parsedFixture('app/Http/Controllers/PostController.php');
+    const analyzer = new AuthorizationCoverageAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const unprotected = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+    expect(unprotected.length).toBeGreaterThanOrEqual(2);
+  });
+
+  it('does not flag protected actions with $this->authorize()', async () => {
+    const file = await parsedFixture('app/Http/Controllers/PostController.php');
+    const analyzer = new AuthorizationCoverageAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const flaggedMethods = findings.map((f) => f.title);
+    expect(flaggedMethods.some((t) => t.includes('index'))).toBe(false);
+    expect(flaggedMethods.some((t) => t.includes('destroy'))).toBe(false);
+  });
+
+  it('does not flag __construct method', async () => {
+    const file = await parsedFixture('app/Http/Controllers/PostController.php');
+    const analyzer = new AuthorizationCoverageAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const flaggedMethods = findings.map((f) => f.title);
+    expect(flaggedMethods.some((t) => t.includes('__construct'))).toBe(false);
+  });
+
+  it('does not flag protected methods', async () => {
+    const file = await parsedFixture('app/Http/Controllers/PostController.php');
+    const analyzer = new AuthorizationCoverageAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const flaggedMethods = findings.map((f) => f.title);
+    expect(flaggedMethods.some((t) => t.includes('someProtectedMethod'))).toBe(false);
+  });
+
+  it('flags public controller methods without auth', async () => {
+    const file = await parsedFixture('app/Http/Controllers/PostController.php');
+    const analyzer = new AuthorizationCoverageAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.id === 'HAVOC-AUTH-001')).toBe(true);
+  });
+
+  it('produces findings with correct CWE', async () => {
+    const file = await parsedFixture('app/Http/Controllers/PostController.php');
+    const analyzer = new AuthorizationCoverageAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+    for (const f of authFindings) {
+      expect(f.cwe).toBe('CWE-862');
+    }
+  });
+
+  it('findings have High or Medium severity', async () => {
+    const file = await parsedFixture('app/Http/Controllers/PostController.php');
+    const analyzer = new AuthorizationCoverageAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    for (const f of findings) {
+      expect([Severity.High, Severity.Medium]).toContain(f.severity);
+    }
+  });
+
+  it('includes file path in finding', async () => {
+    const file = await parsedFixture('app/Http/Controllers/PostController.php');
+    const analyzer = new AuthorizationCoverageAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+    for (const f of authFindings) {
+      expect(f.file).toContain('PostController.php');
+    }
+  });
+
+  it('fully covered controller produces no HAVOC-AUTH-001 findings', async () => {
+    const file = await parsedFixture('app/Http/Controllers/AdminController.php');
+    const analyzer = new AuthorizationCoverageAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const authFindings = findings.filter((f) => f.id === 'HAVOC-AUTH-001');
+    expect(authFindings).toHaveLength(0);
+  });
+});
+
+// ─── MassAssignmentAnalyzer ───────────────────────────────────────────────────
+
+describe('MassAssignmentAnalyzer', () => {
+  it('does not flag non-model files', async () => {
+    const file = await fixtureFile('app/Http/Controllers/PostController.php');
+    const analyzer = new MassAssignmentAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('flags model with no $fillable or $guarded (MEDIUM)', async () => {
+    const file = await parsedFixture('app/Models/Comment.php');
+    const analyzer = new MassAssignmentAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.id === 'HAVOC-MA-001')).toBe(true);
+    expect(findings.find((f) => f.id === 'HAVOC-MA-001')?.severity).toBe(Severity.Medium);
+  });
+
+  it('flags model with $guarded = [] as HIGH', async () => {
+    const file = await parsedFixture('app/Models/OpenModel.php');
+    const analyzer = new MassAssignmentAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.id === 'HAVOC-MA-002')).toBe(true);
+    expect(findings.find((f) => f.id === 'HAVOC-MA-002')?.severity).toBe(Severity.High);
+  });
+
+  it('flags sensitive field "password" in $fillable (MEDIUM)', async () => {
+    const file = await parsedFixture('app/Models/User.php');
+    const analyzer = new MassAssignmentAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const sensitiveFindings = findings.filter((f) => f.id === 'HAVOC-MA-003');
+    const passwordFinding = sensitiveFindings.find((f) => f.title.includes('password'));
+    expect(passwordFinding).toBeDefined();
+    expect(passwordFinding?.severity).toBe(Severity.Medium);
+  });
+
+  it('flags sensitive field "role" in $fillable', async () => {
+    const file = await parsedFixture('app/Models/User.php');
+    const analyzer = new MassAssignmentAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    const roleFinding = findings.find((f) => f.title.includes('role'));
+    expect(roleFinding).toBeDefined();
+  });
+
+  it('does not flag safe model with clean $fillable', async () => {
+    const file = await parsedFixture('app/Models/SafeModel.php');
+    const analyzer = new MassAssignmentAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('does not flag Post model with clean $fillable', async () => {
+    const file = await parsedFixture('app/Models/Post.php');
+    const analyzer = new MassAssignmentAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('produces findings with CWE-915', async () => {
+    const file = await parsedFixture('app/Models/Comment.php');
+    const analyzer = new MassAssignmentAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    for (const f of findings) {
+      expect(f.cwe).toBe('CWE-915');
+    }
+  });
+});
+
+// ─── SqlInjectionAnalyzer ────────────────────────────────────────────────────
+
+describe('SqlInjectionAnalyzer', () => {
+  it('does not flag non-PHP files', async () => {
+    const file: ParsedFile = { path: 'resources/views/home.blade.php', content: 'whereRaw($x)', ast: null };
+    const analyzer = new SqlInjectionAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('flags DB::select with string interpolation as HIGH', async () => {
+    const content = `<?php\n$result = DB::select("SELECT * FROM users WHERE name = '$name'");\n`;
+    const file: ParsedFile = { path: 'app/Services/UserService.php', content, ast: null };
+    const analyzer = new SqlInjectionAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.id === 'HAVOC-SQL-001')).toBe(true);
+  });
+
+  it('flags whereRaw with variable concatenation as HIGH', async () => {
+    const content = `<?php\n$users = User::whereRaw('status = ' . $status)->get();\n`;
+    const file: ParsedFile = { path: 'app/Http/Controllers/UserController.php', content, ast: null };
+    const analyzer = new SqlInjectionAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.id === 'HAVOC-SQL-001')).toBe(true);
+  });
+
+  it('does not flag whereRaw with ? binding', async () => {
+    const content = `<?php\n$users = User::whereRaw('age > ?', [$minAge])->get();\n`;
+    const file: ParsedFile = { path: 'app/Http/Controllers/UserController.php', content, ast: null };
+    const analyzer = new SqlInjectionAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter((f) => f.id === 'HAVOC-SQL-001')).toHaveLength(0);
+  });
+
+  it('reports info for raw query without interpolation or bindings', async () => {
+    // DB::raw($query) — variable argument, no interpolation patterns, no binding → Info
+    const content = `<?php\n$order = DB::raw($column);\n`;
+    const file: ParsedFile = { path: 'app/Http/Controllers/FeedController.php', content, ast: null };
+    const analyzer = new SqlInjectionAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.id === 'HAVOC-SQL-002' && f.severity === Severity.Info)).toBe(true);
+  });
+
+  it('produces findings with CWE-89', async () => {
+    const content = `<?php\n$r = DB::select("SELECT * FROM t WHERE x = '$x'");\n`;
+    const file: ParsedFile = { path: 'app/Services/Service.php', content, ast: null };
+    const analyzer = new SqlInjectionAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    for (const f of findings.filter((x) => x.id === 'HAVOC-SQL-001')) {
+      expect(f.cwe).toBe('CWE-89');
+    }
+  });
+
+  it('flags DB::statement with interpolation', async () => {
+    const content = `<?php\n$raw = DB::statement("UPDATE users SET role = '$role' WHERE id = $id");\n`;
+    const file: ParsedFile = { path: 'app/Services/RoleService.php', content, ast: null };
+    const analyzer = new SqlInjectionAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.id === 'HAVOC-SQL-001')).toBe(true);
+  });
+
+  it('does not flag safe queries file', async () => {
+    const file = await fixtureFile('sql/safe_queries.php');
+    file.path = 'app/Services/SafeService.php';
+    const analyzer = new SqlInjectionAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.filter((f) => f.id === 'HAVOC-SQL-001')).toHaveLength(0);
+  });
+});
+
+// ─── XssSurfaceAnalyzer ───────────────────────────────────────────────────────
+
+describe('XssSurfaceAnalyzer', () => {
+  it('does not flag escaped Blade output', async () => {
+    const content = '<p>{{ $user->name }}</p>';
+    const file: ParsedFile = { path: 'resources/views/show.blade.php', content, ast: null };
+    const analyzer = new XssSurfaceAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('flags user-controlled unescaped output as HIGH', async () => {
+    const content = '<div>{!! $comment->body !!}</div>';
+    const file: ParsedFile = { path: 'resources/views/comments/show.blade.php', content, ast: null };
+    const analyzer = new XssSurfaceAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.severity === Severity.High)).toBe(true);
+  });
+
+  it('does not flag e()-wrapped output', async () => {
+    const content = '<div>{!! e($userInput) !!}</div>';
+    const file: ParsedFile = { path: 'resources/views/show.blade.php', content, ast: null };
+    const analyzer = new XssSurfaceAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('does not flag config() values in unescaped output', async () => {
+    const content = '<div>{!! config("app.footer") !!}</div>';
+    const file: ParsedFile = { path: 'resources/views/layout.blade.php', content, ast: null };
+    const analyzer = new XssSurfaceAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('does not flag mail template unescaped output', async () => {
+    const content = '<div>{!! $mailContent !!}</div>';
+    const file: ParsedFile = { path: 'resources/views/mail/welcome.blade.php', content, ast: null };
+    const analyzer = new XssSurfaceAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('does not flag non-Blade files', async () => {
+    const file: ParsedFile = { path: 'app/Http/Controllers/HomeController.php', content: '{!! $x !!}', ast: null };
+    const analyzer = new XssSurfaceAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('produces findings with CWE-79', async () => {
+    const content = '<div>{!! $text !!}</div>';
+    const file: ParsedFile = { path: 'resources/views/show.blade.php', content, ast: null };
+    const analyzer = new XssSurfaceAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    for (const f of findings) {
+      expect(f.cwe).toBe('CWE-79');
+    }
+  });
+
+  it('does not flag htmlspecialchars-wrapped output', async () => {
+    const content = '<div>{!! htmlspecialchars($input) !!}</div>';
+    const file: ParsedFile = { path: 'resources/views/show.blade.php', content, ast: null };
+    const analyzer = new XssSurfaceAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('flags $message variable as user-controlled', async () => {
+    const content = '<div>{!! $message !!}</div>';
+    const file: ParsedFile = { path: 'resources/views/show.blade.php', content, ast: null };
+    const analyzer = new XssSurfaceAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.severity === Severity.High)).toBe(true);
+  });
+});
+
+// ─── IdorAnalyzer ────────────────────────────────────────────────────────────
+
+describe('IdorAnalyzer', () => {
+  it('does not flag routes without multiple params', async () => {
+    const content = `Route::get('/posts/{post}', [PostController::class, 'show']);`;
+    const file: ParsedFile = { path: 'routes/web.php', content, ast: null };
+    const analyzer = new IdorAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('flags nested routes with multiple params', async () => {
+    const content = `Route::get('/users/{userId}/posts/{postId}', [PostController::class, 'show']);`;
+    const file: ParsedFile = { path: 'routes/web.php', content, ast: null };
+    const analyzer = new IdorAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.id === 'HAVOC-IDOR-001')).toBe(true);
+  });
+
+  it('flags nested resource routes (dots)', async () => {
+    const content = `Route::resource('users.posts', PostController::class);`;
+    const file: ParsedFile = { path: 'routes/web.php', content, ast: null };
+    const analyzer = new IdorAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.id === 'HAVOC-IDOR-002')).toBe(true);
+  });
+
+  it('does not flag non-route files', async () => {
+    const file: ParsedFile = {
+      path: 'app/Http/Controllers/PostController.php',
+      content: '/users/{userId}/posts/{postId}',
+      ast: null,
+    };
+    const analyzer = new IdorAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('produces findings with CWE-639', async () => {
+    const content = `Route::get('/users/{userId}/posts/{postId}', [PostController::class, 'show']);`;
+    const file: ParsedFile = { path: 'routes/web.php', content, ast: null };
+    const analyzer = new IdorAnalyzer();
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    for (const f of findings) {
+      expect(f.cwe).toBe('CWE-639');
+    }
+  });
+
+  it('does not flag route files with ownership checks in controllers', async () => {
+    const routeFile: ParsedFile = {
+      path: 'routes/web.php',
+      content: `Route::get('/users/{userId}/posts/{postId}', [PostController::class, 'show']);`,
+      ast: null,
+    };
+    const controllerFile: ParsedFile = {
+      path: 'app/Http/Controllers/PostController.php',
+      content: `$post = $user->posts()->findOrFail($postId); Gate::allows('view', $post);`,
+      ast: null,
+    };
+    const analyzer = new IdorAnalyzer();
+    const findings = await analyzer.analyze([routeFile, controllerFile], DEFAULT_CONFIG);
+    // With ownership check, should not flag
+    expect(findings).toHaveLength(0);
+  });
+});
+
+// ─── DependencyAuditAnalyzer ──────────────────────────────────────────────────
+
+describe('DependencyAuditAnalyzer', () => {
+  it('skips scan when no composer.json in file list', async () => {
+    const analyzer = new DependencyAuditAnalyzer();
+    const findings = await analyzer.analyze([], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+
+  it('uses injected mock runner and returns critical finding', async () => {
+    const mockRunner = async (_path: string) => ({
+      advisories: {
+        'vendor/package': [{
+          advisoryId: 'ADV-001', packageName: 'vendor/package',
+          title: 'Remote Code Execution', link: 'https://example.com/adv-001',
+          cve: 'CVE-2024-1234', severity: 'critical',
+          affectedVersions: '>=1.0.0,<1.5.0', sources: [], reportedAt: '2024-01-01',
+        }],
+      },
+      abandoned: {},
+    });
+    const analyzer = new DependencyAuditAnalyzer(mockRunner);
+    const file: ParsedFile = { path: 'composer.json', content: '{}', ast: null };
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.id === 'HAVOC-DEP-001')).toBe(true);
+    expect(findings[0].severity).toBe(Severity.Critical);
+  });
+
+  it('maps high severity CVE correctly', async () => {
+    const mockRunner = async (_path: string) => ({
+      advisories: {
+        'some/package': [{
+          advisoryId: 'ADV-002', packageName: 'some/package',
+          title: 'SQL Injection', link: 'https://example.com/adv-002',
+          cve: null, severity: 'high', affectedVersions: '>=2.0.0',
+          sources: [], reportedAt: '2024-02-01',
+        }],
+      },
+      abandoned: {},
+    });
+    const analyzer = new DependencyAuditAnalyzer(mockRunner);
+    const file: ParsedFile = { path: 'composer.json', content: '{}', ast: null };
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings[0].severity).toBe(Severity.High);
+  });
+
+  it('maps medium severity correctly', async () => {
+    const mockRunner = async (_path: string) => ({
+      advisories: {
+        'a/b': [{
+          advisoryId: 'ADV-003', packageName: 'a/b', title: 'CSRF',
+          link: 'https://example.com', cve: null, severity: 'medium',
+          affectedVersions: '>=1.0', sources: [], reportedAt: '2024-01-01',
+        }],
+      },
+      abandoned: {},
+    });
+    const analyzer = new DependencyAuditAnalyzer(mockRunner);
+    const file: ParsedFile = { path: 'composer.json', content: '{}', ast: null };
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings[0].severity).toBe(Severity.Medium);
+  });
+
+  it('returns info finding when composer runner returns null', async () => {
+    const mockRunner = async (_path: string) => null;
+    const analyzer = new DependencyAuditAnalyzer(mockRunner);
+    const file: ParsedFile = { path: 'composer.json', content: '{}', ast: null };
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings.some((f) => f.id === 'HAVOC-DEP-002')).toBe(true);
+  });
+
+  it('returns empty findings for no advisories', async () => {
+    const mockRunner = async (_path: string) => ({ advisories: {}, abandoned: {} });
+    const analyzer = new DependencyAuditAnalyzer(mockRunner);
+    const file: ParsedFile = { path: 'composer.json', content: '{}', ast: null };
+    const findings = await analyzer.analyze([file], DEFAULT_CONFIG);
+    expect(findings).toHaveLength(0);
+  });
+});
+
+// ─── Security Grade ───────────────────────────────────────────────────────────
+
+describe('calculateSecurityGrade', () => {
+  it('returns A for zero findings', async () => {
+    const { calculateSecurityGrade } = await import('../src/index.js');
+    expect(calculateSecurityGrade([])).toBe('A');
+  });
+
+  it('returns F for multiple critical findings', async () => {
+    const { calculateSecurityGrade } = await import('../src/index.js');
+    const findings = Array.from({ length: 3 }, () => ({ severity: Severity.Critical }));
+    expect(calculateSecurityGrade(findings)).toBe('F');
+  });
+
+  it('returns B for a single high finding', async () => {
+    const { calculateSecurityGrade } = await import('../src/index.js');
+    expect(calculateSecurityGrade([{ severity: Severity.High }])).toBe('B');
+  });
+
+  it('returns A for info-only findings', async () => {
+    const { calculateSecurityGrade } = await import('../src/index.js');
+    const findings = Array.from({ length: 10 }, () => ({ severity: Severity.Info }));
+    expect(calculateSecurityGrade(findings)).toBe('A');
+  });
+
+  it('returns D for 3 high findings', async () => {
+    const { calculateSecurityGrade } = await import('../src/index.js');
+    const findings = Array.from({ length: 3 }, () => ({ severity: Severity.High }));
+    expect(calculateSecurityGrade(findings)).toBe('D');
+  });
+});