@kevinrabun/judges 2.2.0 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +203 -20
- package/dist/api.d.ts +40 -0
- package/dist/api.d.ts.map +1 -0
- package/dist/api.js +56 -0
- package/dist/api.js.map +1 -0
- package/dist/ast/cross-file-taint.d.ts +43 -0
- package/dist/ast/cross-file-taint.d.ts.map +1 -0
- package/dist/ast/cross-file-taint.js +713 -0
- package/dist/ast/cross-file-taint.js.map +1 -0
- package/dist/ast/index.d.ts +4 -0
- package/dist/ast/index.d.ts.map +1 -1
- package/dist/ast/index.js +5 -0
- package/dist/ast/index.js.map +1 -1
- package/dist/ast/structural-parser.d.ts.map +1 -1
- package/dist/ast/structural-parser.js +66 -11
- package/dist/ast/structural-parser.js.map +1 -1
- package/dist/ast/taint-tracker.d.ts +35 -0
- package/dist/ast/taint-tracker.d.ts.map +1 -0
- package/dist/ast/taint-tracker.js +518 -0
- package/dist/ast/taint-tracker.js.map +1 -0
- package/dist/ast/types.d.ts +2 -0
- package/dist/ast/types.d.ts.map +1 -1
- package/dist/ast/typescript-ast.d.ts.map +1 -1
- package/dist/ast/typescript-ast.js +25 -5
- package/dist/ast/typescript-ast.js.map +1 -1
- package/dist/config.d.ts.map +1 -1
- package/dist/config.js +10 -9
- package/dist/config.js.map +1 -1
- package/dist/dedup.d.ts +19 -0
- package/dist/dedup.d.ts.map +1 -0
- package/dist/dedup.js +222 -0
- package/dist/dedup.js.map +1 -0
- package/dist/errors.d.ts +37 -0
- package/dist/errors.d.ts.map +1 -0
- package/dist/errors.js +57 -0
- package/dist/errors.js.map +1 -0
- package/dist/evaluators/accessibility.d.ts +1 -1
- package/dist/evaluators/accessibility.d.ts.map +1 -1
- package/dist/evaluators/accessibility.js +45 -7
- package/dist/evaluators/accessibility.js.map +1 -1
- package/dist/evaluators/agent-instructions.d.ts +1 -1
- package/dist/evaluators/agent-instructions.d.ts.map +1 -1
- package/dist/evaluators/agent-instructions.js +60 -2
- package/dist/evaluators/agent-instructions.js.map +1 -1
- package/dist/evaluators/ai-code-safety.d.ts +9 -0
- package/dist/evaluators/ai-code-safety.d.ts.map +1 -0
- package/dist/evaluators/ai-code-safety.js +507 -0
- package/dist/evaluators/ai-code-safety.js.map +1 -0
- package/dist/evaluators/api-design.d.ts +1 -1
- package/dist/evaluators/api-design.d.ts.map +1 -1
- package/dist/evaluators/api-design.js +33 -17
- package/dist/evaluators/api-design.js.map +1 -1
- package/dist/evaluators/app-builder.d.ts +34 -0
- package/dist/evaluators/app-builder.d.ts.map +1 -0
- package/dist/evaluators/app-builder.js +156 -0
- package/dist/evaluators/app-builder.js.map +1 -0
- package/dist/evaluators/authentication.d.ts +1 -1
- package/dist/evaluators/authentication.d.ts.map +1 -1
- package/dist/evaluators/authentication.js +69 -75
- package/dist/evaluators/authentication.js.map +1 -1
- package/dist/evaluators/backwards-compatibility.d.ts +1 -1
- package/dist/evaluators/backwards-compatibility.d.ts.map +1 -1
- package/dist/evaluators/backwards-compatibility.js +25 -3
- package/dist/evaluators/backwards-compatibility.js.map +1 -1
- package/dist/evaluators/caching.d.ts +1 -1
- package/dist/evaluators/caching.d.ts.map +1 -1
- package/dist/evaluators/caching.js +25 -4
- package/dist/evaluators/caching.js.map +1 -1
- package/dist/evaluators/ci-cd.d.ts +1 -1
- package/dist/evaluators/ci-cd.d.ts.map +1 -1
- package/dist/evaluators/ci-cd.js +34 -12
- package/dist/evaluators/ci-cd.js.map +1 -1
- package/dist/evaluators/cloud-readiness.d.ts +1 -1
- package/dist/evaluators/cloud-readiness.d.ts.map +1 -1
- package/dist/evaluators/cloud-readiness.js +26 -0
- package/dist/evaluators/cloud-readiness.js.map +1 -1
- package/dist/evaluators/code-structure.d.ts +1 -1
- package/dist/evaluators/code-structure.d.ts.map +1 -1
- package/dist/evaluators/code-structure.js +19 -6
- package/dist/evaluators/code-structure.js.map +1 -1
- package/dist/evaluators/compliance.d.ts +1 -1
- package/dist/evaluators/compliance.d.ts.map +1 -1
- package/dist/evaluators/compliance.js +48 -10
- package/dist/evaluators/compliance.js.map +1 -1
- package/dist/evaluators/concurrency.d.ts +1 -1
- package/dist/evaluators/concurrency.d.ts.map +1 -1
- package/dist/evaluators/concurrency.js +29 -4
- package/dist/evaluators/concurrency.js.map +1 -1
- package/dist/evaluators/configuration-management.d.ts +1 -1
- package/dist/evaluators/configuration-management.d.ts.map +1 -1
- package/dist/evaluators/configuration-management.js +57 -13
- package/dist/evaluators/configuration-management.js.map +1 -1
- package/dist/evaluators/cost-effectiveness.d.ts +1 -1
- package/dist/evaluators/cost-effectiveness.d.ts.map +1 -1
- package/dist/evaluators/cost-effectiveness.js +27 -3
- package/dist/evaluators/cost-effectiveness.js.map +1 -1
- package/dist/evaluators/cybersecurity.d.ts +1 -1
- package/dist/evaluators/cybersecurity.d.ts.map +1 -1
- package/dist/evaluators/cybersecurity.js +190 -1
- package/dist/evaluators/cybersecurity.js.map +1 -1
- package/dist/evaluators/data-security.d.ts +1 -1
- package/dist/evaluators/data-security.d.ts.map +1 -1
- package/dist/evaluators/data-security.js +114 -66
- package/dist/evaluators/data-security.js.map +1 -1
- package/dist/evaluators/data-sovereignty.d.ts +1 -1
- package/dist/evaluators/data-sovereignty.d.ts.map +1 -1
- package/dist/evaluators/data-sovereignty.js +89 -2
- package/dist/evaluators/data-sovereignty.js.map +1 -1
- package/dist/evaluators/database.d.ts +1 -1
- package/dist/evaluators/database.d.ts.map +1 -1
- package/dist/evaluators/database.js +35 -9
- package/dist/evaluators/database.js.map +1 -1
- package/dist/evaluators/dependencies.d.ts +6 -0
- package/dist/evaluators/dependencies.d.ts.map +1 -0
- package/dist/evaluators/dependencies.js +204 -0
- package/dist/evaluators/dependencies.js.map +1 -0
- package/dist/evaluators/dependency-health.d.ts +1 -1
- package/dist/evaluators/dependency-health.d.ts.map +1 -1
- package/dist/evaluators/dependency-health.js +265 -11
- package/dist/evaluators/dependency-health.js.map +1 -1
- package/dist/evaluators/documentation.d.ts +1 -1
- package/dist/evaluators/documentation.d.ts.map +1 -1
- package/dist/evaluators/documentation.js +25 -2
- package/dist/evaluators/documentation.js.map +1 -1
- package/dist/evaluators/error-handling.d.ts +1 -1
- package/dist/evaluators/error-handling.d.ts.map +1 -1
- package/dist/evaluators/error-handling.js +89 -24
- package/dist/evaluators/error-handling.js.map +1 -1
- package/dist/evaluators/ethics-bias.d.ts +1 -1
- package/dist/evaluators/ethics-bias.d.ts.map +1 -1
- package/dist/evaluators/ethics-bias.js +30 -5
- package/dist/evaluators/ethics-bias.js.map +1 -1
- package/dist/evaluators/framework-safety.d.ts +13 -0
- package/dist/evaluators/framework-safety.d.ts.map +1 -0
- package/dist/evaluators/framework-safety.js +424 -0
- package/dist/evaluators/framework-safety.js.map +1 -0
- package/dist/evaluators/index.d.ts +21 -24
- package/dist/evaluators/index.d.ts.map +1 -1
- package/dist/evaluators/index.js +297 -677
- package/dist/evaluators/index.js.map +1 -1
- package/dist/evaluators/internationalization.d.ts +1 -1
- package/dist/evaluators/internationalization.d.ts.map +1 -1
- package/dist/evaluators/internationalization.js +55 -4
- package/dist/evaluators/internationalization.js.map +1 -1
- package/dist/evaluators/logging-privacy.d.ts +1 -1
- package/dist/evaluators/logging-privacy.d.ts.map +1 -1
- package/dist/evaluators/logging-privacy.js +68 -30
- package/dist/evaluators/logging-privacy.js.map +1 -1
- package/dist/evaluators/maintainability.d.ts +1 -1
- package/dist/evaluators/maintainability.d.ts.map +1 -1
- package/dist/evaluators/maintainability.js +53 -26
- package/dist/evaluators/maintainability.js.map +1 -1
- package/dist/evaluators/observability.d.ts +1 -1
- package/dist/evaluators/observability.d.ts.map +1 -1
- package/dist/evaluators/observability.js +22 -1
- package/dist/evaluators/observability.js.map +1 -1
- package/dist/evaluators/performance.d.ts +1 -1
- package/dist/evaluators/performance.d.ts.map +1 -1
- package/dist/evaluators/performance.js +209 -2
- package/dist/evaluators/performance.js.map +1 -1
- package/dist/evaluators/portability.d.ts +1 -1
- package/dist/evaluators/portability.d.ts.map +1 -1
- package/dist/evaluators/portability.js +24 -1
- package/dist/evaluators/portability.js.map +1 -1
- package/dist/evaluators/project.d.ts +16 -0
- package/dist/evaluators/project.d.ts.map +1 -0
- package/dist/evaluators/project.js +353 -0
- package/dist/evaluators/project.js.map +1 -0
- package/dist/evaluators/rate-limiting.d.ts +1 -1
- package/dist/evaluators/rate-limiting.d.ts.map +1 -1
- package/dist/evaluators/rate-limiting.js +33 -10
- package/dist/evaluators/rate-limiting.js.map +1 -1
- package/dist/evaluators/reliability.d.ts +1 -1
- package/dist/evaluators/reliability.d.ts.map +1 -1
- package/dist/evaluators/reliability.js +20 -0
- package/dist/evaluators/reliability.js.map +1 -1
- package/dist/evaluators/scalability.d.ts +1 -1
- package/dist/evaluators/scalability.d.ts.map +1 -1
- package/dist/evaluators/scalability.js +27 -1
- package/dist/evaluators/scalability.js.map +1 -1
- package/dist/evaluators/shared.d.ts +24 -2
- package/dist/evaluators/shared.d.ts.map +1 -1
- package/dist/evaluators/shared.js +194 -26
- package/dist/evaluators/shared.js.map +1 -1
- package/dist/evaluators/software-practices.d.ts +1 -1
- package/dist/evaluators/software-practices.d.ts.map +1 -1
- package/dist/evaluators/software-practices.js +50 -3
- package/dist/evaluators/software-practices.js.map +1 -1
- package/dist/evaluators/testing.d.ts +1 -1
- package/dist/evaluators/testing.d.ts.map +1 -1
- package/dist/evaluators/testing.js +32 -4
- package/dist/evaluators/testing.js.map +1 -1
- package/dist/evaluators/ux.d.ts +1 -1
- package/dist/evaluators/ux.d.ts.map +1 -1
- package/dist/evaluators/ux.js +24 -0
- package/dist/evaluators/ux.js.map +1 -1
- package/dist/evaluators/v2.d.ts +1 -1
- package/dist/evaluators/v2.d.ts.map +1 -1
- package/dist/evaluators/v2.js +15 -35
- package/dist/evaluators/v2.js.map +1 -1
- package/dist/formatters/sarif.d.ts +75 -0
- package/dist/formatters/sarif.d.ts.map +1 -0
- package/dist/formatters/sarif.js +93 -0
- package/dist/formatters/sarif.js.map +1 -0
- package/dist/index.d.ts +4 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -782
- package/dist/index.js.map +1 -1
- package/dist/judges/accessibility.d.ts +1 -1
- package/dist/judges/accessibility.d.ts.map +1 -1
- package/dist/judges/agent-instructions.d.ts +1 -1
- package/dist/judges/agent-instructions.d.ts.map +1 -1
- package/dist/judges/ai-code-safety.d.ts +3 -0
- package/dist/judges/ai-code-safety.d.ts.map +1 -0
- package/dist/judges/ai-code-safety.js +45 -0
- package/dist/judges/ai-code-safety.js.map +1 -0
- package/dist/judges/api-design.d.ts +1 -1
- package/dist/judges/api-design.d.ts.map +1 -1
- package/dist/judges/authentication.d.ts +1 -1
- package/dist/judges/authentication.d.ts.map +1 -1
- package/dist/judges/backwards-compatibility.d.ts +1 -1
- package/dist/judges/backwards-compatibility.d.ts.map +1 -1
- package/dist/judges/caching.d.ts +1 -1
- package/dist/judges/caching.d.ts.map +1 -1
- package/dist/judges/ci-cd.d.ts +1 -1
- package/dist/judges/ci-cd.d.ts.map +1 -1
- package/dist/judges/cloud-readiness.d.ts +1 -1
- package/dist/judges/cloud-readiness.d.ts.map +1 -1
- package/dist/judges/code-structure.d.ts +1 -1
- package/dist/judges/code-structure.d.ts.map +1 -1
- package/dist/judges/compliance.d.ts +1 -1
- package/dist/judges/compliance.d.ts.map +1 -1
- package/dist/judges/concurrency.d.ts +1 -1
- package/dist/judges/concurrency.d.ts.map +1 -1
- package/dist/judges/configuration-management.d.ts +1 -1
- package/dist/judges/configuration-management.d.ts.map +1 -1
- package/dist/judges/cost-effectiveness.d.ts +1 -1
- package/dist/judges/cost-effectiveness.d.ts.map +1 -1
- package/dist/judges/cybersecurity.d.ts +1 -1
- package/dist/judges/cybersecurity.d.ts.map +1 -1
- package/dist/judges/data-security.d.ts +1 -1
- package/dist/judges/data-security.d.ts.map +1 -1
- package/dist/judges/data-sovereignty.d.ts +1 -1
- package/dist/judges/data-sovereignty.d.ts.map +1 -1
- package/dist/judges/database.d.ts +1 -1
- package/dist/judges/database.d.ts.map +1 -1
- package/dist/judges/dependency-health.d.ts +1 -1
- package/dist/judges/dependency-health.d.ts.map +1 -1
- package/dist/judges/documentation.d.ts +1 -1
- package/dist/judges/documentation.d.ts.map +1 -1
- package/dist/judges/error-handling.d.ts +1 -1
- package/dist/judges/error-handling.d.ts.map +1 -1
- package/dist/judges/ethics-bias.d.ts +1 -1
- package/dist/judges/ethics-bias.d.ts.map +1 -1
- package/dist/judges/framework-safety.d.ts +3 -0
- package/dist/judges/framework-safety.d.ts.map +1 -0
- package/dist/judges/framework-safety.js +25 -0
- package/dist/judges/framework-safety.js.map +1 -0
- package/dist/judges/index.d.ts +1 -1
- package/dist/judges/index.d.ts.map +1 -1
- package/dist/judges/index.js +76 -0
- package/dist/judges/index.js.map +1 -1
- package/dist/judges/internationalization.d.ts +1 -1
- package/dist/judges/internationalization.d.ts.map +1 -1
- package/dist/judges/logging-privacy.d.ts +1 -1
- package/dist/judges/logging-privacy.d.ts.map +1 -1
- package/dist/judges/maintainability.d.ts +1 -1
- package/dist/judges/maintainability.d.ts.map +1 -1
- package/dist/judges/observability.d.ts +1 -1
- package/dist/judges/observability.d.ts.map +1 -1
- package/dist/judges/performance.d.ts +1 -1
- package/dist/judges/performance.d.ts.map +1 -1
- package/dist/judges/portability.d.ts +1 -1
- package/dist/judges/portability.d.ts.map +1 -1
- package/dist/judges/rate-limiting.d.ts +1 -1
- package/dist/judges/rate-limiting.d.ts.map +1 -1
- package/dist/judges/reliability.d.ts +1 -1
- package/dist/judges/reliability.d.ts.map +1 -1
- package/dist/judges/scalability.d.ts +1 -1
- package/dist/judges/scalability.d.ts.map +1 -1
- package/dist/judges/software-practices.d.ts +1 -1
- package/dist/judges/software-practices.d.ts.map +1 -1
- package/dist/judges/testing.d.ts +1 -1
- package/dist/judges/testing.d.ts.map +1 -1
- package/dist/judges/ux.d.ts +1 -1
- package/dist/judges/ux.d.ts.map +1 -1
- package/dist/language-patterns.d.ts +37 -0
- package/dist/language-patterns.d.ts.map +1 -1
- package/dist/language-patterns.js +59 -4
- package/dist/language-patterns.js.map +1 -1
- package/dist/patches/index.d.ts +10 -0
- package/dist/patches/index.d.ts.map +1 -0
- package/dist/patches/index.js +533 -0
- package/dist/patches/index.js.map +1 -0
- package/dist/reports/public-repo-report.d.ts +3 -1
- package/dist/reports/public-repo-report.d.ts.map +1 -1
- package/dist/reports/public-repo-report.js +41 -0
- package/dist/reports/public-repo-report.js.map +1 -1
- package/dist/scoring.d.ts +18 -0
- package/dist/scoring.d.ts.map +1 -0
- package/dist/scoring.js +178 -0
- package/dist/scoring.js.map +1 -0
- package/dist/tools/deep-review.d.ts +4 -0
- package/dist/tools/deep-review.d.ts.map +1 -0
- package/dist/tools/deep-review.js +56 -0
- package/dist/tools/deep-review.js.map +1 -0
- package/dist/tools/prompts.d.ts +8 -0
- package/dist/tools/prompts.d.ts.map +1 -0
- package/dist/tools/prompts.js +66 -0
- package/dist/tools/prompts.js.map +1 -0
- package/dist/tools/register-evaluation.d.ts +7 -0
- package/dist/tools/register-evaluation.d.ts.map +1 -0
- package/dist/tools/register-evaluation.js +303 -0
- package/dist/tools/register-evaluation.js.map +1 -0
- package/dist/tools/register-workflow.d.ts +7 -0
- package/dist/tools/register-workflow.d.ts.map +1 -0
- package/dist/tools/register-workflow.js +395 -0
- package/dist/tools/register-workflow.js.map +1 -0
- package/dist/tools/register.d.ts +7 -0
- package/dist/tools/register.d.ts.map +1 -0
- package/dist/tools/register.js +14 -0
- package/dist/tools/register.js.map +1 -0
- package/dist/tools/schemas.d.ts +26 -0
- package/dist/tools/schemas.d.ts.map +1 -0
- package/dist/tools/schemas.js +42 -0
- package/dist/tools/schemas.js.map +1 -0
- package/dist/types.d.ts +53 -2
- package/dist/types.d.ts.map +1 -1
- package/package.json +42 -3
- package/server.json +51 -3
|
@@ -1,21 +1,23 @@
|
|
|
1
|
-
import { getLineNumbers, getLangFamily } from "./shared.js";
|
|
1
|
+
import { getLineNumbers, getLangLineNumbers, getLangFamily } from "./shared.js";
|
|
2
|
+
import * as LP from "../language-patterns.js";
|
|
2
3
|
export function analyzeErrorHandling(code, language) {
|
|
3
4
|
const findings = [];
|
|
4
5
|
let ruleNum = 1;
|
|
5
6
|
const prefix = "ERR";
|
|
6
7
|
const lang = getLangFamily(language);
|
|
7
|
-
// Empty catch blocks
|
|
8
|
-
const
|
|
9
|
-
const emptyCatchLines = getLineNumbers(code, emptyCatchPattern);
|
|
8
|
+
// Empty catch blocks (multi-language)
|
|
9
|
+
const emptyCatchLines = getLangLineNumbers(code, language, LP.EMPTY_CATCH);
|
|
10
10
|
if (emptyCatchLines.length > 0) {
|
|
11
11
|
findings.push({
|
|
12
12
|
ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
|
|
13
13
|
severity: "high",
|
|
14
|
-
title: "Empty catch block swallows errors",
|
|
15
|
-
description: `Found ${emptyCatchLines.length} empty
|
|
14
|
+
title: "Empty catch/error block swallows errors",
|
|
15
|
+
description: `Found ${emptyCatchLines.length} empty error-handling block(s). Silently swallowing errors hides bugs, makes debugging impossible, and can leave the application in an inconsistent state.`,
|
|
16
16
|
lineNumbers: emptyCatchLines,
|
|
17
17
|
recommendation: "Log the error with context, re-throw it, or handle it meaningfully. If intentionally ignoring, add a comment explaining why.",
|
|
18
18
|
reference: "ESLint no-empty / Error Handling Best Practices",
|
|
19
|
+
suggestedFix: "Add error handling: catch (error) { logger.error('Operation failed', { error }); throw error; } (JS/TS), except Exception as e: logger.error(e); raise (Python), .map_err(|e| { log::error!(\"{e}\"); e }) (Rust).",
|
|
20
|
+
confidence: 0.9,
|
|
19
21
|
});
|
|
20
22
|
}
|
|
21
23
|
// Catch with no error parameter
|
|
@@ -30,6 +32,8 @@ export function analyzeErrorHandling(code, language) {
|
|
|
30
32
|
lineNumbers: catchNoParamLines,
|
|
31
33
|
recommendation: "Capture the error parameter: catch(error) { ... } and use it for logging, error classification, or re-throwing.",
|
|
32
34
|
reference: "Error Handling Best Practices",
|
|
35
|
+
suggestedFix: "Add error parameter: catch (error) { ... } instead of catch () { ... }.",
|
|
36
|
+
confidence: 0.9,
|
|
33
37
|
});
|
|
34
38
|
}
|
|
35
39
|
// No global error handler / middleware
|
|
@@ -46,6 +50,8 @@ export function analyzeErrorHandling(code, language) {
|
|
|
46
50
|
description: "Server code without a global error handler. Unhandled errors will crash the process or return raw stack traces to clients.",
|
|
47
51
|
recommendation: "Add Express error middleware (app.use((err, req, res, next) => { ... })), process.on('uncaughtException'), and process.on('unhandledRejection') handlers.",
|
|
48
52
|
reference: "Express Error Handling / Node.js Best Practices",
|
|
53
|
+
suggestedFix: "Add global error middleware: app.use((err, req, res, next) => { logger.error(err); res.status(500).json({ error: 'Internal error' }); }); and process.on('unhandledRejection', handler).",
|
|
54
|
+
confidence: 0.7,
|
|
49
55
|
});
|
|
50
56
|
}
|
|
51
57
|
// Generic error responses
|
|
@@ -60,21 +66,23 @@ export function analyzeErrorHandling(code, language) {
|
|
|
60
66
|
lineNumbers: genericErrorLines,
|
|
61
67
|
recommendation: "Return structured error responses with error codes, human-readable messages, and suggested actions. Use a consistent error response schema.",
|
|
62
68
|
reference: "RFC 7807 (Problem Details for HTTP APIs)",
|
|
69
|
+
suggestedFix: "Return structured errors: res.status(400).json({ type: 'validation_error', title: 'Invalid input', detail: 'Field email is required', instance: req.path }).",
|
|
70
|
+
confidence: 0.75,
|
|
63
71
|
});
|
|
64
72
|
}
|
|
65
|
-
// Async function without try/catch or .catch
|
|
66
|
-
const
|
|
67
|
-
const
|
|
68
|
-
|
|
69
|
-
const tryCatchMatches = code.match(hasTryCatch)?.length || 0;
|
|
70
|
-
if (asyncMatches > 0 && tryCatchMatches === 0) {
|
|
73
|
+
// Async function without try/catch or .catch (multi-language)
|
|
74
|
+
const asyncFuncLines = getLangLineNumbers(code, language, LP.ASYNC_FUNCTION);
|
|
75
|
+
const tryCatchLines = getLangLineNumbers(code, language, LP.TRY_CATCH);
|
|
76
|
+
if (asyncFuncLines.length > 0 && tryCatchLines.length === 0) {
|
|
71
77
|
findings.push({
|
|
72
78
|
ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
|
|
73
79
|
severity: "medium",
|
|
74
80
|
title: "Async functions without error handling",
|
|
75
|
-
description: `Found ${
|
|
76
|
-
recommendation: "Wrap async operations in try/catch
|
|
77
|
-
reference: "
|
|
81
|
+
description: `Found ${asyncFuncLines.length} async function(s) but no error-handling blocks. Unhandled async errors can crash the process or cause silent failures.`,
|
|
82
|
+
recommendation: "Wrap async operations in try/catch (JS/TS/C#/Java), try/except (Python), or check errors explicitly (Go/Rust).",
|
|
83
|
+
reference: "Async Error Handling Best Practices",
|
|
84
|
+
suggestedFix: "Wrap async handlers: try { await operation(); } catch (error) { logger.error(error); } (JS/TS), try: await operation() except Exception as e: ... (Python), if err != nil { ... } (Go).",
|
|
85
|
+
confidence: 0.7,
|
|
78
86
|
});
|
|
79
87
|
}
|
|
80
88
|
// Callback without error check (Node.js pattern)
|
|
@@ -89,6 +97,8 @@ export function analyzeErrorHandling(code, language) {
|
|
|
89
97
|
description: "Code uses callbacks but doesn't appear to check for errors. In Node.js, the error-first callback pattern requires checking the error parameter.",
|
|
90
98
|
recommendation: "Always check the error parameter first in callbacks: if (err) { return handleError(err); }",
|
|
91
99
|
reference: "Node.js Error-First Callbacks",
|
|
100
|
+
suggestedFix: "Add error-first check: function callback(err, result) { if (err) { return handleError(err); } // proceed with result }.",
|
|
101
|
+
confidence: 0.7,
|
|
92
102
|
});
|
|
93
103
|
}
|
|
94
104
|
// Throwing strings instead of Error objects
|
|
@@ -103,20 +113,23 @@ export function analyzeErrorHandling(code, language) {
|
|
|
103
113
|
lineNumbers: throwStringLines,
|
|
104
114
|
recommendation: "Always throw Error objects: throw new Error('message') or custom error classes that extend Error.",
|
|
105
115
|
reference: "ESLint no-throw-literal / JavaScript Error Handling",
|
|
116
|
+
suggestedFix: "Replace throw 'message' with throw new Error('message').",
|
|
117
|
+
confidence: 0.9,
|
|
106
118
|
});
|
|
107
119
|
}
|
|
108
|
-
// process.exit
|
|
109
|
-
const
|
|
110
|
-
|
|
111
|
-
if (processExitLines.length > 0) {
|
|
120
|
+
// Abrupt process termination (multi-language: process.exit, sys.exit, panic, unwrap, etc.)
|
|
121
|
+
const panicExitLines = getLangLineNumbers(code, language, LP.PANIC_UNWRAP);
|
|
122
|
+
if (panicExitLines.length > 0) {
|
|
112
123
|
findings.push({
|
|
113
124
|
ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
|
|
114
125
|
severity: "high",
|
|
115
|
-
title: "process
|
|
116
|
-
description:
|
|
117
|
-
lineNumbers:
|
|
118
|
-
recommendation: "Use proper error propagation instead of
|
|
119
|
-
reference: "
|
|
126
|
+
title: "Abrupt process termination instead of proper error handling",
|
|
127
|
+
description: `Found ${panicExitLines.length} abrupt termination call(s) (process.exit, sys.exit, panic, .unwrap). These skip cleanup handlers, drop in-flight requests, and can corrupt data.`,
|
|
128
|
+
lineNumbers: panicExitLines,
|
|
129
|
+
recommendation: "Use proper error propagation instead of abrupt termination. Return error responses in HTTP servers. Let the process shutdown gracefully.",
|
|
130
|
+
reference: "Graceful Shutdown Best Practices / CWE-705",
|
|
131
|
+
suggestedFix: "Replace abrupt exits with graceful shutdown: server.close(() => cleanup()) (JS), raise SystemExit (Python), return Err(...) instead of .unwrap() (Rust), os.Exit only in main() (Go).",
|
|
132
|
+
confidence: 0.9,
|
|
120
133
|
});
|
|
121
134
|
}
|
|
122
135
|
// Catch-and-rethrow without added context
|
|
@@ -131,6 +144,8 @@ export function analyzeErrorHandling(code, language) {
|
|
|
131
144
|
lineNumbers: catchRethrowLines,
|
|
132
145
|
recommendation: "Either add context when rethrowing (new Error('context', { cause: err })) or remove the try/catch entirely and let the error propagate naturally.",
|
|
133
146
|
reference: "Error Handling Best Practices / Error Wrapping",
|
|
147
|
+
suggestedFix: "Add context when rethrowing: throw new Error('Failed to process order', { cause: err }); or remove the redundant try/catch entirely.",
|
|
148
|
+
confidence: 0.85,
|
|
134
149
|
});
|
|
135
150
|
}
|
|
136
151
|
// Error swallowed with only console.log
|
|
@@ -145,6 +160,8 @@ export function analyzeErrorHandling(code, language) {
|
|
|
145
160
|
lineNumbers: swallowedLines,
|
|
146
161
|
recommendation: "After logging, rethrow the error, return an error response, or propagate the failure to the caller. Silent failures are as dangerous as empty catch blocks.",
|
|
147
162
|
reference: "Error Handling Patterns / Don't Swallow Errors",
|
|
163
|
+
suggestedFix: "After logging, propagate the failure: catch (error) { logger.error(error); throw error; } or return an error response to the caller.",
|
|
164
|
+
confidence: 0.85,
|
|
148
165
|
});
|
|
149
166
|
}
|
|
150
167
|
// Missing error codes in error responses
|
|
@@ -160,6 +177,8 @@ export function analyzeErrorHandling(code, language) {
|
|
|
160
177
|
lineNumbers: errorRespLines.slice(0, 5),
|
|
161
178
|
recommendation: "Include a machine-readable error code in responses: { code: 'VALIDATION_ERROR', message: '...' }. Use RFC 7807 Problem Details format.",
|
|
162
179
|
reference: "RFC 7807: Problem Details for HTTP APIs",
|
|
180
|
+
suggestedFix: "Add machine-readable error codes: res.status(422).json({ code: 'VALIDATION_FAILED', message: '...', details: [...] }).",
|
|
181
|
+
confidence: 0.7,
|
|
163
182
|
});
|
|
164
183
|
}
|
|
165
184
|
// console.error as sole error strategy
|
|
@@ -174,6 +193,52 @@ export function analyzeErrorHandling(code, language) {
|
|
|
174
193
|
description: `Found ${consoleErrorLines.length} console.error call(s) with no error reporting service. Console output is transient — errors won't be tracked, aggregated, or alerted on.`,
|
|
175
194
|
recommendation: "Integrate an error reporting service (Sentry, Bugsnag, Application Insights). These provide aggregation, alerting, and stack trace analysis.",
|
|
176
195
|
reference: "Error Monitoring Best Practices",
|
|
196
|
+
suggestedFix: "Integrate an error reporting service: Sentry.captureException(error) or appInsights.trackException({ exception: error }) for aggregation and alerting.",
|
|
197
|
+
confidence: 0.7,
|
|
198
|
+
});
|
|
199
|
+
}
|
|
200
|
+
// Promise .then() chains without .catch()
|
|
201
|
+
const thenWithoutCatch = [];
|
|
202
|
+
const cLines = code.split("\n");
|
|
203
|
+
cLines.forEach((line, i) => {
|
|
204
|
+
if (/\.then\s*\(/i.test(line) && thenWithoutCatch.length < 10) {
|
|
205
|
+
const context = cLines.slice(i, Math.min(cLines.length, i + 6)).join("\n");
|
|
206
|
+
if (!/\.catch\s*\(|\.finally\s*\(/.test(context)) {
|
|
207
|
+
// Also check preceding lines for await (which handles rejection differently)
|
|
208
|
+
const precedingContext = cLines.slice(Math.max(0, i - 2), i + 1).join("\n");
|
|
209
|
+
if (!/\bawait\b/.test(precedingContext)) {
|
|
210
|
+
thenWithoutCatch.push(i + 1);
|
|
211
|
+
}
|
|
212
|
+
}
|
|
213
|
+
}
|
|
214
|
+
});
|
|
215
|
+
if (thenWithoutCatch.length > 0) {
|
|
216
|
+
findings.push({
|
|
217
|
+
ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
|
|
218
|
+
severity: "high",
|
|
219
|
+
title: "Promise .then() chain without .catch()",
|
|
220
|
+
description: `Found ${thenWithoutCatch.length} Promise .then() chain(s) without a .catch() handler. Unhandled promise rejections crash Node.js processes and cause silent failures in browsers.`,
|
|
221
|
+
lineNumbers: thenWithoutCatch,
|
|
222
|
+
recommendation: "Always add .catch() at the end of Promise chains, or refactor to async/await with try/catch. Enable the 'no-floating-promises' ESLint rule.",
|
|
223
|
+
reference: "Node.js Unhandled Rejections / CWE-755",
|
|
224
|
+
suggestedFix: "Append .catch(error => { logger.error(error); }) to the Promise chain, or refactor to async/await with try/catch.",
|
|
225
|
+
confidence: 0.75,
|
|
226
|
+
});
|
|
227
|
+
}
|
|
228
|
+
// Stack trace or full error object sent to client
|
|
229
|
+
const stackExposurePattern = /(?:res\.(?:json|send|status)\s*\(.*(?:\.stack|err\b|error\b)\s*\)|\.json\s*\(\s*(?:err|error)\s*\)|\.send\s*\(\s*(?:err|error)\s*\))/gi;
|
|
230
|
+
const stackExposureLines = getLineNumbers(code, stackExposurePattern);
|
|
231
|
+
if (stackExposureLines.length > 0) {
|
|
232
|
+
findings.push({
|
|
233
|
+
ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
|
|
234
|
+
severity: "high",
|
|
235
|
+
title: "Stack trace or error internals exposed to client",
|
|
236
|
+
description: `Found ${stackExposureLines.length} location(s) where error objects or stack traces may be sent directly in HTTP responses. This leaks internal file paths, library versions, and system details to attackers.`,
|
|
237
|
+
lineNumbers: stackExposureLines,
|
|
238
|
+
recommendation: "Never send raw error objects to clients. Return a generic error message with a correlation ID. Log the full error server-side. Use environment checks to show details only in development.",
|
|
239
|
+
reference: "CWE-209: Information Exposure Through Error Messages",
|
|
240
|
+
suggestedFix: "Return a generic message with correlation ID: res.status(500).json({ error: 'Internal error', correlationId: req.id }); and log the full error server-side.",
|
|
241
|
+
confidence: 0.85,
|
|
177
242
|
});
|
|
178
243
|
}
|
|
179
244
|
return findings;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"error-handling.js","sourceRoot":"","sources":["../../src/evaluators/error-handling.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,
|
|
1
|
+
{"version":3,"file":"error-handling.js","sourceRoot":"","sources":["../../src/evaluators/error-handling.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAChF,OAAO,KAAK,EAAE,MAAM,yBAAyB,CAAC;AAE9C,MAAM,UAAU,oBAAoB,CAAC,IAAY,EAAE,QAAgB;IACjE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAG,KAAK,CAAC;IACrB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAErC,sCAAsC;IACtC,MAAM,eAAe,GAAG,kBAAkB,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAC3E,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,yCAAyC;YAChD,WAAW,EAAE,SAAS,eAAe,CAAC,MAAM,4JAA4J;YACxM,WAAW,EAAE,eAAe;YAC5B,cAAc,EACZ,8HAA8H;YAChI,SAAS,EAAE,iDAAiD;YAC5D,YAAY,EACV,oNAAoN;YACtN,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,gCAAgC;IAChC,MAAM,mBAAmB,GAAG,uBAAuB,CAAC;IACpD,MAAM,iBAAiB,GAAG,cAAc,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IACpE,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,mCAAmC;YAC1C,WAAW,EACT,sIAAsI;YACxI,WAAW,EAAE,iBAAiB;YAC9B,cAAc,EACZ,iHAAiH;YACnH,SAAS,EAAE,+BAA+B;YAC1C,YAAY,EAAE,yEAAyE;YACvF,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,uCAAuC;IACvC,MAAM,gBAAgB,GACpB,4CAA4C,CAAC,IAAI,CAAC,IAAI,CAAC;QACvD,uEAAuE,CAAC,IAAI,CAAC,IAAI,CAAC;QAClF,iEAAiE,CAAC,IAAI,CAAC,IAAI,CAAC;QAC5E,kCAAkC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,aAAa,GAAG,mFAAmF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrH,IAAI,aAAa,IAAI,CAAC,gBAAgB,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACvE,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,kCAAkC;YACzC,WAAW,EACT,4HAA4H;YAC9H,cAAc,EACZ,2JAA2J;YAC7J,SAAS,EAAE,iDAAiD;YAC5D,YAAY,EACV,0LAA0L;YAC5L,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,MAAM,mBAAmB,GACvB,sIAAsI,CAAC;IACzI,MAAM,iBAAiB,GAAG,cAAc,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IACpE,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,4CAA4C;YACnD,WAAW,EACT,qIAAqI;YACvI,WAAW,EAAE,iBAAiB;YAC9B,cAAc,EACZ,6IAA6I;YAC/I,SAAS,EAAE,0CAA0C;YACrD,YAAY,EACV,8JAA8J;YAChK,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,8DAA8D;IAC9D,MAAM,cAAc,GAAG,kBAAkB,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC;IAC7E,MAAM,aAAa,GAAG,kBAAkB,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC;IACvE,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5D,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,SAAS,cAAc,CAAC,MAAM,yHAAyH;YACpK,cAAc,EACZ,gHAAgH;YAClH,SAAS,EAAE,qCAAqC;YAChD,YAAY,EACV,yLAAyL;YAC3L,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,iDAAiD;IACjD,MAAM,oBAAoB,GAAG,8DAA8D,CAAC;IAC5F,MAAM,kBAAkB,GAAG,qCAAqC,CAAC;IACjE,MAAM,YAAY,GAAG,2DAA2D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5F,IAAI,YAAY,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACnF,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,yCAAyC;YAChD,WAAW,EACT,iJAAiJ;YACnJ,cAAc,EAAE,4FAA4F;YAC5G,SAAS,EAAE,+BAA+B;YAC1C,YAAY,EACV,yHAAyH;YAC3H,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,4CAA4C;IAC5C,MAAM,kBAAkB,GAAG,gBAAgB,CAAC;IAC5C,MAAM,gBAAgB,GAAG,cAAc,CAAC,IAAI,EAAE,kBAAkB,CAAC,CAAC;IAClE,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,mDAAmD;YAC1D,WAAW,EACT,wGAAwG;YAC1G,WAAW,EAAE,gBAAgB;YAC7B,cAAc,EACZ,mGAAmG;YACrG,SAAS,EAAE,qDAAqD;YAChE,YAAY,EAAE,0DAA0D;YACxE,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,2FAA2F;IAC3F,MAAM,cAAc,GAAG,kBAAkB,CAAC,IAAI,EAAE,QAAQ,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC;IAC3E,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,6DAA6D;YACpE,WAAW,EAAE,SAAS,cAAc,CAAC,MAAM,mJAAmJ;YAC9L,WAAW,EAAE,cAAc;YAC3B,cAAc,EACZ,0IAA0I;YAC5I,SAAS,EAAE,4CAA4C;YACvD,YAAY,EACV,uLAAuL;YACzL,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,MAAM,mBAAmB,GAAG,wDAAwD,CAAC;IACrF,MAAM,iBAAiB,GAAG,cAAc,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IACpE,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,yCAAyC;YAChD,WAAW,EAAE,SAAS,iBAAiB,CAAC,MAAM,6JAA6J;YAC3M,WAAW,EAAE,iBAAiB;YAC9B,cAAc,EACZ,mJAAmJ;YACrJ,SAAS,EAAE,gDAAgD;YAC3D,YAAY,EACV,sIAAsI;YACxI,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IACxC,MAAM,qBAAqB,GAAG,gFAAgF,CAAC;IAC/G,MAAM,cAAc,GAAG,cAAc,CAAC,IAAI,EAAE,qBAAqB,CAAC,CAAC;IACnE,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,+CAA+C;YACtD,WAAW,EAAE,SAAS,cAAc,CAAC,MAAM,iJAAiJ;YAC5L,WAAW,EAAE,cAAc;YAC3B,cAAc,EACZ,6JAA6J;YAC/J,SAAS,EAAE,gDAAgD;YAC3D,YAAY,EACV,sIAAsI;YACxI,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,yCAAyC;IACzC,MAAM,oBAAoB,GAAG,qDAAqD,CAAC;IACnF,MAAM,cAAc,GAAG,cAAc,CAAC,IAAI,EAAE,oBAAoB,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,oEAAoE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtG,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;QAChD,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EACT,0IAA0I;YAC5I,WAAW,EAAE,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YACvC,cAAc,EACZ,wIAAwI;YAC1I,SAAS,EAAE,yCAAyC;YACpD,YAAY,EACV,wHAAwH;YAC1H,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,uCAAuC;IACvC,MAAM,mBAAmB,GAAG,sBAAsB,CAAC;IACnD,MAAM,iBAAiB,GAAG,cAAc,CAAC,IAAI,EAAE,mBAAmB,CAAC,CAAC;IACpE,MAAM,iBAAiB,GACrB,wFAAwF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtG,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvD,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,gDAAgD;YACvD,WAAW,EAAE,SAAS,iBAAiB,CAAC,MAAM,2IAA2I;YACzL,cAAc,EACZ,8IAA8I;YAChJ,SAAS,EAAE,iCAAiC;YAC5C,YAAY,EACV,wJAAwJ;YAC1J,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAChC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACzB,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC9D,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC3E,IAAI,CAAC,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjD,6EAA6E;gBAC7E,MAAM,gBAAgB,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC5E,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC;oBACxC,gBAAgB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC/B,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EAAE,SAAS,gBAAgB,CAAC,MAAM,mJAAmJ;YAChM,WAAW,EAAE,gBAAgB;YAC7B,cAAc,EACZ,6IAA6I;YAC/I,SAAS,EAAE,wCAAwC;YACnD,YAAY,EACV,mHAAmH;YACrH,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,kDAAkD;IAClD,MAAM,oBAAoB,GACxB,wIAAwI,CAAC;IAC3I,MAAM,kBAAkB,GAAG,cAAc,CAAC,IAAI,EAAE,oBAAoB,CAAC,CAAC;IACtE,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,kDAAkD;YACzD,WAAW,EAAE,SAAS,kBAAkB,CAAC,MAAM,6KAA6K;YAC5N,WAAW,EAAE,kBAAkB;YAC/B,cAAc,EACZ,4LAA4L;YAC9L,SAAS,EAAE,sDAAsD;YACjE,YAAY,EACV,6JAA6J;YAC/J,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ethics-bias.d.ts","sourceRoot":"","sources":["../../src/evaluators/ethics-bias.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"ethics-bias.d.ts","sourceRoot":"","sources":["../../src/evaluators/ethics-bias.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAG3C,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAwT3E"}
|
|
@@ -33,12 +33,15 @@ export function analyzeEthicsBias(code, language) {
|
|
|
33
33
|
lineNumbers: demographicLines,
|
|
34
34
|
recommendation: "Review whether demographic-based logic is legally compliant and ethically justified. Document the business justification. Consider bias testing.",
|
|
35
35
|
reference: "EU AI Act / Anti-Discrimination Laws / Algorithmic Fairness",
|
|
36
|
+
suggestedFix: "Replace demographic conditionals with policy-driven rules or feature flags, and add bias-impact documentation for any remaining demographic logic.",
|
|
37
|
+
confidence: 0.8,
|
|
36
38
|
});
|
|
37
39
|
}
|
|
38
40
|
// Detect scoring/ranking without explainability
|
|
39
41
|
const scoringLines = [];
|
|
40
42
|
lines.forEach((line, i) => {
|
|
41
|
-
if (/(?:score|rank|rating|risk)\s*(?:\+|=|-|\*|\/)/i.test(line) &&
|
|
43
|
+
if (/(?:score|rank|rating|risk)\s*(?:\+|=|-|\*|\/)/i.test(line) &&
|
|
44
|
+
/(?:user|customer|applicant|candidate|patient)/i.test(lines.slice(Math.max(0, i - 10), Math.min(lines.length, i + 10)).join("\n"))) {
|
|
42
45
|
scoringLines.push(i + 1);
|
|
43
46
|
}
|
|
44
47
|
});
|
|
@@ -52,6 +55,8 @@ export function analyzeEthicsBias(code, language) {
|
|
|
52
55
|
lineNumbers: scoringLines,
|
|
53
56
|
recommendation: "Log all factors contributing to scores. Provide mechanisms for users to understand and contest automated decisions.",
|
|
54
57
|
reference: "GDPR Article 22 / EU AI Act Transparency Requirements",
|
|
58
|
+
suggestedFix: "Add a scoring explanation object that logs each factor and weight, and expose a `getScoreExplanation()` method for audit and user queries.",
|
|
59
|
+
confidence: 0.75,
|
|
55
60
|
});
|
|
56
61
|
}
|
|
57
62
|
// Detect automated decision-making without human review
|
|
@@ -59,7 +64,8 @@ export function analyzeEthicsBias(code, language) {
|
|
|
59
64
|
lines.forEach((line, i) => {
|
|
60
65
|
if (/(?:approve|reject|deny|block|suspend|terminate|ban)\s*\(/i.test(line)) {
|
|
61
66
|
const context = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 5)).join("\n");
|
|
62
|
-
if (!/review|manual|human|override|appeal|queue.*review/i.test(context) &&
|
|
67
|
+
if (!/review|manual|human|override|appeal|queue.*review/i.test(context) &&
|
|
68
|
+
/auto|bot|system|cron|scheduled/i.test(context)) {
|
|
63
69
|
autoDecisionLines.push(i + 1);
|
|
64
70
|
}
|
|
65
71
|
}
|
|
@@ -73,13 +79,16 @@ export function analyzeEthicsBias(code, language) {
|
|
|
73
79
|
lineNumbers: autoDecisionLines,
|
|
74
80
|
recommendation: "Implement human-in-the-loop for high-impact automated decisions. Provide appeal mechanisms and audit trails.",
|
|
75
81
|
reference: "GDPR Article 22 / Right to Human Review",
|
|
82
|
+
suggestedFix: "Route high-impact decisions through a review queue instead of executing immediately, and add an appeal/override endpoint for human reviewers.",
|
|
83
|
+
confidence: 0.75,
|
|
76
84
|
});
|
|
77
85
|
}
|
|
78
86
|
// Detect dark patterns in UI code
|
|
79
87
|
const darkPatternLines = [];
|
|
80
88
|
lines.forEach((line, i) => {
|
|
81
89
|
// Pre-checked checkboxes for marketing
|
|
82
|
-
if (/(?:checked|defaultChecked|selected)\s*[=:]\s*(?:true|{true})/i.test(line) &&
|
|
90
|
+
if (/(?:checked|defaultChecked|selected)\s*[=:]\s*(?:true|{true})/i.test(line) &&
|
|
91
|
+
/(?:newsletter|marketing|promo|subscribe|opt|consent|agree|terms)/i.test(line)) {
|
|
83
92
|
darkPatternLines.push(i + 1);
|
|
84
93
|
}
|
|
85
94
|
// Hidden inputs for consent
|
|
@@ -96,6 +105,8 @@ export function analyzeEthicsBias(code, language) {
|
|
|
96
105
|
lineNumbers: darkPatternLines,
|
|
97
106
|
recommendation: "Ensure all consent mechanisms are opt-in (unchecked by default), clearly visible, and use plain language.",
|
|
98
107
|
reference: "FTC Dark Patterns Guidelines / GDPR Valid Consent",
|
|
108
|
+
suggestedFix: "Set `checked`/`defaultChecked` to `false` for consent checkboxes and change hidden consent inputs to visible, clearly-labeled form fields.",
|
|
109
|
+
confidence: 0.85,
|
|
99
110
|
});
|
|
100
111
|
}
|
|
101
112
|
// Detect exclusionary language in code/comments
|
|
@@ -114,12 +125,15 @@ export function analyzeEthicsBias(code, language) {
|
|
|
114
125
|
lineNumbers: exclusionaryLines,
|
|
115
126
|
recommendation: "Use inclusive alternatives: allowlist/denylist, primary/replica, placeholder, confidence check.",
|
|
116
127
|
reference: "Inclusive Naming Initiative / Google Developer Style Guide",
|
|
128
|
+
suggestedFix: "Rename `whitelist`→`allowlist`, `blacklist`→`denylist`, `master/slave`→`primary/replica`, and `sanity check`→`confidence check`.",
|
|
129
|
+
confidence: 0.85,
|
|
117
130
|
});
|
|
118
131
|
}
|
|
119
132
|
// Detect biased training data or model references
|
|
120
133
|
const biasedDataLines = [];
|
|
121
134
|
lines.forEach((line, i) => {
|
|
122
|
-
if (/(?:train|dataset|corpus|sample)\s*(?:=|\.)/i.test(line) &&
|
|
135
|
+
if (/(?:train|dataset|corpus|sample)\s*(?:=|\.)/i.test(line) &&
|
|
136
|
+
!/(?:balanced|stratified|representative|fairness|bias.?check|debiased)/i.test(lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 5)).join("\n"))) {
|
|
123
137
|
if (/(?:predict|classify|recommend|score|rank)/i.test(lines.slice(i, Math.min(lines.length, i + 20)).join("\n"))) {
|
|
124
138
|
biasedDataLines.push(i + 1);
|
|
125
139
|
}
|
|
@@ -134,6 +148,8 @@ export function analyzeEthicsBias(code, language) {
|
|
|
134
148
|
lineNumbers: biasedDataLines.slice(0, 5),
|
|
135
149
|
recommendation: "Implement data auditing for representation, test model outputs across demographic groups, and document data provenance.",
|
|
136
150
|
reference: "ML Fairness / Responsible AI Practices",
|
|
151
|
+
suggestedFix: "Add a bias-audit step (e.g., `auditDatasetBalance(dataset)`) before training, and log demographic distribution metrics for each dataset.",
|
|
152
|
+
confidence: 0.7,
|
|
137
153
|
});
|
|
138
154
|
}
|
|
139
155
|
// Detect manipulative UI urgency patterns
|
|
@@ -152,6 +168,8 @@ export function analyzeEthicsBias(code, language) {
|
|
|
152
168
|
lineNumbers: urgencyLines,
|
|
153
169
|
recommendation: "Ensure scarcity/urgency messaging reflects real inventory or time limits. Verify claims are accurate and not manufactured.",
|
|
154
170
|
reference: "FTC Dark Patterns / Consumer Protection",
|
|
171
|
+
suggestedFix: "Replace hardcoded urgency strings with data-driven values sourced from real inventory or deadline APIs, and remove any fabricated scarcity copy.",
|
|
172
|
+
confidence: 0.85,
|
|
155
173
|
});
|
|
156
174
|
}
|
|
157
175
|
// Detect data collection beyond stated purpose
|
|
@@ -173,12 +191,15 @@ export function analyzeEthicsBias(code, language) {
|
|
|
173
191
|
lineNumbers: excessiveCollectionLines,
|
|
174
192
|
recommendation: "Only collect data necessary for the stated feature. Document the purpose and obtain consent before accessing device APIs.",
|
|
175
193
|
reference: "GDPR Data Minimization / Privacy by Design",
|
|
194
|
+
suggestedFix: "Gate device-API calls behind a consent check (e.g., `if (hasUserConsent('geolocation')) { ... }`) and document the data-collection purpose inline.",
|
|
195
|
+
confidence: 0.8,
|
|
176
196
|
});
|
|
177
197
|
}
|
|
178
198
|
// Detect price discrimination patterns
|
|
179
199
|
const pricingLines = [];
|
|
180
200
|
lines.forEach((line, i) => {
|
|
181
|
-
if (/(?:price|cost|fee|rate)\s*(?:\*|=|\+)/i.test(line) &&
|
|
201
|
+
if (/(?:price|cost|fee|rate)\s*(?:\*|=|\+)/i.test(line) &&
|
|
202
|
+
/(?:location|region|country|device|platform|userAgent|browser)/i.test(line)) {
|
|
182
203
|
pricingLines.push(i + 1);
|
|
183
204
|
}
|
|
184
205
|
});
|
|
@@ -191,6 +212,8 @@ export function analyzeEthicsBias(code, language) {
|
|
|
191
212
|
lineNumbers: pricingLines,
|
|
192
213
|
recommendation: "If price varies by region, be transparent about it. Ensure pricing differences are based on legitimate factors (taxes, shipping) not user profiling.",
|
|
193
214
|
reference: "Consumer Protection / Fair Pricing Laws",
|
|
215
|
+
suggestedFix: "Separate tax/shipping adjustments from base price, remove device/userAgent from pricing logic, and display a price-breakdown to the user.",
|
|
216
|
+
confidence: 0.8,
|
|
194
217
|
});
|
|
195
218
|
}
|
|
196
219
|
// Detect accessibility barriers as ethics issue
|
|
@@ -212,6 +235,8 @@ export function analyzeEthicsBias(code, language) {
|
|
|
212
235
|
lineNumbers: accessBarrierLines,
|
|
213
236
|
recommendation: "Provide accessible CAPTCHA alternatives (audio, logic puzzles) or use invisible CAPTCHA methods that don't require visual interaction.",
|
|
214
237
|
reference: "WCAG 1.1.1 Non-text Content / Digital Inclusion",
|
|
238
|
+
suggestedFix: "Add an audio CAPTCHA fallback or switch to an invisible/accessible CAPTCHA provider (e.g., reCAPTCHA v3) that doesn't require visual interaction.",
|
|
239
|
+
confidence: 0.75,
|
|
215
240
|
});
|
|
216
241
|
}
|
|
217
242
|
return findings;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ethics-bias.js","sourceRoot":"","sources":["../../src/evaluators/ethics-bias.ts"],"names":[],"mappings":"AACA,OAAO,
|
|
1
|
+
{"version":3,"file":"ethics-bias.js","sourceRoot":"","sources":["../../src/evaluators/ethics-bias.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAE5C,MAAM,UAAU,iBAAiB,CAAC,IAAY,EAAE,QAAgB;IAC9D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,QAAQ,CAAC;IACxB,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,IAAI,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IAErC,MAAM,iBAAiB,GAAG,CAAC,IAAY,EAAW,EAAE;QAClD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;YACxB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;YACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,mBAAmB,GAAG,CAAC,IAAY,EAAU,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,4BAA4B,EAAE,EAAE,CAAC,CAAC;IAErG,gDAAgD;IAChD,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,iBAAiB,CAAC,IAAI,CAAC;YAAE,OAAO;QACpC,MAAM,cAAc,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACjD,IACE,yGAAyG,CAAC,IAAI,CAC5G,cAAc,CACf,EACD,CAAC;YACD,gBAAgB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EACT,+HAA+H;YACjI,WAAW,EAAE,gBAAgB;YAC7B,cAAc,EACZ,kJAAkJ;YACpJ,SAAS,EAAE,6DAA6D;YACxE,YAAY,EACV,oJAAoJ;YACtJ,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,gDAAgD;IAChD,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IACE,gDAAgD,CAAC,IAAI,CAAC,IAAI,CAAC;YAC3D,gDAAgD,CAAC,IAAI,CACnD,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAC5E,EACD,CAAC;YACD,YAAY,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,MAAM,iBAAiB,GAAG,2DAA2D,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjG,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAClD,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EACT,0HAA0H;YAC5H,WAAW,EAAE,YAAY;YACzB,cAAc,EACZ,qHAAqH;YACvH,SAAS,EAAE,uDAAuD;YAClE,YAAY,EACV,4IAA4I;YAC9I,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,wDAAwD;IACxD,MAAM,iBAAiB,GAAa,EAAE,CAAC;IACvC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,2DAA2D,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3E,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1F,IACE,CAAC,oDAAoD,CAAC,IAAI,CAAC,OAAO,CAAC;gBACnE,iCAAiC,CAAC,IAAI,CAAC,OAAO,CAAC,EAC/C,CAAC;gBACD,iBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,uDAAuD;YAC9D,WAAW,EACT,qIAAqI;YACvI,WAAW,EAAE,iBAAiB;YAC9B,cAAc,EACZ,8GAA8G;YAChH,SAAS,EAAE,yCAAyC;YACpD,YAAY,EACV,+IAA+I;YACjJ,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,kCAAkC;IAClC,MAAM,gBAAgB,GAAa,EAAE,CAAC;IACtC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,uCAAuC;QACvC,IACE,+DAA+D,CAAC,IAAI,CAAC,IAAI,CAAC;YAC1E,mEAAmE,CAAC,IAAI,CAAC,IAAI,CAAC,EAC9E,CAAC;YACD,gBAAgB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/B,CAAC;QACD,4BAA4B;QAC5B,IAAI,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/E,gBAAgB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,iCAAiC;YACxC,WAAW,EACT,gIAAgI;YAClI,WAAW,EAAE,gBAAgB;YAC7B,cAAc,EACZ,2GAA2G;YAC7G,SAAS,EAAE,mDAAmD;YAC9D,YAAY,EACV,4IAA4I;YAC9I,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,gDAAgD;IAChD,MAAM,iBAAiB,GAAa,EAAE,CAAC;IACvC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,uEAAuE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACvF,iBAAiB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAChC,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,KAAK;YACf,KAAK,EAAE,gCAAgC;YACvC,WAAW,EACT,yHAAyH;YAC3H,WAAW,EAAE,iBAAiB;YAC9B,cAAc,EAAE,iGAAiG;YACjH,SAAS,EAAE,4DAA4D;YACvE,YAAY,EACV,kIAAkI;YACpI,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,kDAAkD;IAClD,MAAM,eAAe,GAAa,EAAE,CAAC;IACrC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IACE,6CAA6C,CAAC,IAAI,CAAC,IAAI,CAAC;YACxD,CAAC,uEAAuE,CAAC,IAAI,CAC3E,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAC1E,EACD,CAAC;YACD,IACE,4CAA4C,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAC5G,CAAC;gBACD,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,6CAA6C;YACpD,WAAW,EACT,gIAAgI;YAClI,WAAW,EAAE,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;YACxC,cAAc,EACZ,yHAAyH;YAC3H,SAAS,EAAE,wCAAwC;YACnD,YAAY,EACV,0IAA0I;YAC5I,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IACE,4GAA4G,CAAC,IAAI,CAC/G,IAAI,CACL,EACD,CAAC;YACD,YAAY,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,qCAAqC;YAC5C,WAAW,EACT,gHAAgH;YAClH,WAAW,EAAE,YAAY;YACzB,cAAc,EACZ,4HAA4H;YAC9H,SAAS,EAAE,yCAAyC;YACpD,YAAY,EACV,kJAAkJ;YACpJ,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,+CAA+C;IAC/C,MAAM,wBAAwB,GAAa,EAAE,CAAC;IAC9C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IACE,2HAA2H,CAAC,IAAI,CAC9H,IAAI,CACL,EACD,CAAC;YACD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5F,IAAI,CAAC,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzD,wBAAwB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,wBAAwB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,+CAA+C;YACtD,WAAW,EACT,wIAAwI;YAC1I,WAAW,EAAE,wBAAwB;YACrC,cAAc,EACZ,2HAA2H;YAC7H,SAAS,EAAE,4CAA4C;YACvD,YAAY,EACV,oJAAoJ;YACtJ,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,uCAAuC;IACvC,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IACE,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC;YACnD,gEAAgE,CAAC,IAAI,CAAC,IAAI,CAAC,EAC3E,CAAC;YACD,YAAY,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,yDAAyD;YAChE,WAAW,EACT,mHAAmH;YACrH,WAAW,EAAE,YAAY;YACzB,cAAc,EACZ,sJAAsJ;YACxJ,SAAS,EAAE,yCAAyC;YACpD,YAAY,EACV,2IAA2I;YAC7I,UAAU,EAAE,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IAED,gDAAgD;IAChD,MAAM,kBAAkB,GAAa,EAAE,CAAC;IACxC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC1E,IAAI,CAAC,oCAAoC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxD,kBAAkB,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IACH,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,GAAG,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;YACzD,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,wCAAwC;YAC/C,WAAW,EACT,0GAA0G;YAC5G,WAAW,EAAE,kBAAkB;YAC/B,cAAc,EACZ,wIAAwI;YAC1I,SAAS,EAAE,iDAAiD;YAC5D,YAAY,EACV,mJAAmJ;YACrJ,UAAU,EAAE,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import type { Finding } from "../types.js";
|
|
2
|
+
/**
|
|
3
|
+
* Framework-specific deep safety rules.
|
|
4
|
+
*
|
|
5
|
+
* Detects misuse patterns unique to popular frameworks that generic rules miss:
|
|
6
|
+
* - React: hook violations, unsafe lifecycle, XSS via dangerouslySetInnerHTML
|
|
7
|
+
* - Express/Koa/Fastify: middleware ordering, body-parser pitfalls, error middleware
|
|
8
|
+
* - Next.js: SSR data leaks, getServerSideProps security, API route exposure
|
|
9
|
+
* - Angular: bypassSecurityTrust, template injection, zone.js anti-patterns
|
|
10
|
+
* - Vue: v-html without sanitization, computed vs watch misuse
|
|
11
|
+
*/
|
|
12
|
+
export declare function analyzeFrameworkSafety(code: string, language: string): Finding[];
|
|
13
|
+
//# sourceMappingURL=framework-safety.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"framework-safety.d.ts","sourceRoot":"","sources":["../../src/evaluators/framework-safety.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAG3C;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAqfhF"}
|