@nahisaho/musubix-security 2.0.0 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/analysis/enhanced-taint-analyzer.d.ts +120 -0
- package/dist/analysis/enhanced-taint-analyzer.d.ts.map +1 -0
- package/dist/analysis/enhanced-taint-analyzer.js +450 -0
- package/dist/analysis/enhanced-taint-analyzer.js.map +1 -0
- package/dist/analysis/index.d.ts +1 -0
- package/dist/analysis/index.d.ts.map +1 -1
- package/dist/analysis/index.js +1 -0
- package/dist/analysis/index.js.map +1 -1
- package/dist/analysis/interprocedural/call-graph-builder.d.ts +192 -0
- package/dist/analysis/interprocedural/call-graph-builder.d.ts.map +1 -0
- package/dist/analysis/interprocedural/call-graph-builder.js +510 -0
- package/dist/analysis/interprocedural/call-graph-builder.js.map +1 -0
- package/dist/analysis/interprocedural/dfg-adapter.d.ts +166 -0
- package/dist/analysis/interprocedural/dfg-adapter.d.ts.map +1 -0
- package/dist/analysis/interprocedural/dfg-adapter.js +455 -0
- package/dist/analysis/interprocedural/dfg-adapter.js.map +1 -0
- package/dist/analysis/interprocedural/index.d.ts +9 -0
- package/dist/analysis/interprocedural/index.d.ts.map +1 -0
- package/dist/analysis/interprocedural/index.js +9 -0
- package/dist/analysis/interprocedural/index.js.map +1 -0
- package/dist/analysis/interprocedural/taint-propagator.d.ts +250 -0
- package/dist/analysis/interprocedural/taint-propagator.d.ts.map +1 -0
- package/dist/analysis/interprocedural/taint-propagator.js +435 -0
- package/dist/analysis/interprocedural/taint-propagator.js.map +1 -0
- package/dist/analysis/sanitizers/command-sanitizers.d.ts +12 -0
- package/dist/analysis/sanitizers/command-sanitizers.d.ts.map +1 -0
- package/dist/analysis/sanitizers/command-sanitizers.js +123 -0
- package/dist/analysis/sanitizers/command-sanitizers.js.map +1 -0
- package/dist/analysis/sanitizers/html-sanitizers.d.ts +12 -0
- package/dist/analysis/sanitizers/html-sanitizers.d.ts.map +1 -0
- package/dist/analysis/sanitizers/html-sanitizers.js +213 -0
- package/dist/analysis/sanitizers/html-sanitizers.js.map +1 -0
- package/dist/analysis/sanitizers/index.d.ts +35 -0
- package/dist/analysis/sanitizers/index.d.ts.map +1 -0
- package/dist/analysis/sanitizers/index.js +59 -0
- package/dist/analysis/sanitizers/index.js.map +1 -0
- package/dist/analysis/sanitizers/path-sanitizers.d.ts +12 -0
- package/dist/analysis/sanitizers/path-sanitizers.d.ts.map +1 -0
- package/dist/analysis/sanitizers/path-sanitizers.js +163 -0
- package/dist/analysis/sanitizers/path-sanitizers.js.map +1 -0
- package/dist/analysis/sanitizers/sql-sanitizers.d.ts +12 -0
- package/dist/analysis/sanitizers/sql-sanitizers.d.ts.map +1 -0
- package/dist/analysis/sanitizers/sql-sanitizers.js +216 -0
- package/dist/analysis/sanitizers/sql-sanitizers.js.map +1 -0
- package/dist/analysis/sanitizers/types.d.ts +78 -0
- package/dist/analysis/sanitizers/types.d.ts.map +1 -0
- package/dist/analysis/sanitizers/types.js +7 -0
- package/dist/analysis/sanitizers/types.js.map +1 -0
- package/dist/analysis/sanitizers/validation-sanitizers.d.ts +12 -0
- package/dist/analysis/sanitizers/validation-sanitizers.d.ts.map +1 -0
- package/dist/analysis/sanitizers/validation-sanitizers.js +268 -0
- package/dist/analysis/sanitizers/validation-sanitizers.js.map +1 -0
- package/dist/analysis/sinks/code-eval.d.ts +12 -0
- package/dist/analysis/sinks/code-eval.d.ts.map +1 -0
- package/dist/analysis/sinks/code-eval.js +231 -0
- package/dist/analysis/sinks/code-eval.js.map +1 -0
- package/dist/analysis/sinks/command-exec.d.ts +12 -0
- package/dist/analysis/sinks/command-exec.d.ts.map +1 -0
- package/dist/analysis/sinks/command-exec.js +187 -0
- package/dist/analysis/sinks/command-exec.js.map +1 -0
- package/dist/analysis/sinks/file-operations.d.ts +12 -0
- package/dist/analysis/sinks/file-operations.d.ts.map +1 -0
- package/dist/analysis/sinks/file-operations.js +239 -0
- package/dist/analysis/sinks/file-operations.js.map +1 -0
- package/dist/analysis/sinks/html-output.d.ts +12 -0
- package/dist/analysis/sinks/html-output.d.ts.map +1 -0
- package/dist/analysis/sinks/html-output.js +256 -0
- package/dist/analysis/sinks/html-output.js.map +1 -0
- package/dist/analysis/sinks/index.d.ts +30 -0
- package/dist/analysis/sinks/index.d.ts.map +1 -0
- package/dist/analysis/sinks/index.js +46 -0
- package/dist/analysis/sinks/index.js.map +1 -0
- package/dist/analysis/sinks/sql-query.d.ts +12 -0
- package/dist/analysis/sinks/sql-query.d.ts.map +1 -0
- package/dist/analysis/sinks/sql-query.js +209 -0
- package/dist/analysis/sinks/sql-query.js.map +1 -0
- package/dist/analysis/sinks/types.d.ts +97 -0
- package/dist/analysis/sinks/types.d.ts.map +1 -0
- package/dist/analysis/sinks/types.js +7 -0
- package/dist/analysis/sinks/types.js.map +1 -0
- package/dist/analysis/sources/database.d.ts +12 -0
- package/dist/analysis/sources/database.d.ts.map +1 -0
- package/dist/analysis/sources/database.js +211 -0
- package/dist/analysis/sources/database.js.map +1 -0
- package/dist/analysis/sources/environment.d.ts +12 -0
- package/dist/analysis/sources/environment.d.ts.map +1 -0
- package/dist/analysis/sources/environment.js +158 -0
- package/dist/analysis/sources/environment.js.map +1 -0
- package/dist/analysis/sources/file-system.d.ts +12 -0
- package/dist/analysis/sources/file-system.d.ts.map +1 -0
- package/dist/analysis/sources/file-system.js +180 -0
- package/dist/analysis/sources/file-system.js.map +1 -0
- package/dist/analysis/sources/http-request.d.ts +12 -0
- package/dist/analysis/sources/http-request.d.ts.map +1 -0
- package/dist/analysis/sources/http-request.js +179 -0
- package/dist/analysis/sources/http-request.js.map +1 -0
- package/dist/analysis/sources/index.d.ts +26 -0
- package/dist/analysis/sources/index.d.ts.map +1 -0
- package/dist/analysis/sources/index.js +40 -0
- package/dist/analysis/sources/index.js.map +1 -0
- package/dist/analysis/sources/types.d.ts +93 -0
- package/dist/analysis/sources/types.d.ts.map +1 -0
- package/dist/analysis/sources/types.js +7 -0
- package/dist/analysis/sources/types.js.map +1 -0
- package/dist/analysis/sources/user-input.d.ts +12 -0
- package/dist/analysis/sources/user-input.d.ts.map +1 -0
- package/dist/analysis/sources/user-input.js +261 -0
- package/dist/analysis/sources/user-input.js.map +1 -0
- package/dist/cve/cpe-matcher.d.ts +183 -0
- package/dist/cve/cpe-matcher.d.ts.map +1 -0
- package/dist/cve/cpe-matcher.js +396 -0
- package/dist/cve/cpe-matcher.js.map +1 -0
- package/dist/cve/cve-cache.d.ts +225 -0
- package/dist/cve/cve-cache.d.ts.map +1 -0
- package/dist/cve/cve-cache.js +452 -0
- package/dist/cve/cve-cache.js.map +1 -0
- package/dist/cve/cve-cache.test.d.ts +6 -0
- package/dist/cve/cve-cache.test.d.ts.map +1 -0
- package/dist/cve/cve-cache.test.js +363 -0
- package/dist/cve/cve-cache.test.js.map +1 -0
- package/dist/cve/dependency-parser.d.ts +204 -0
- package/dist/cve/dependency-parser.d.ts.map +1 -0
- package/dist/cve/dependency-parser.js +338 -0
- package/dist/cve/dependency-parser.js.map +1 -0
- package/dist/cve/index.d.ts +20 -0
- package/dist/cve/index.d.ts.map +1 -0
- package/dist/cve/index.js +13 -0
- package/dist/cve/index.js.map +1 -0
- package/dist/cve/nvd-client.d.ts +137 -0
- package/dist/cve/nvd-client.d.ts.map +1 -0
- package/dist/cve/nvd-client.js +333 -0
- package/dist/cve/nvd-client.js.map +1 -0
- package/dist/cve/rate-limiter.d.ts +194 -0
- package/dist/cve/rate-limiter.d.ts.map +1 -0
- package/dist/cve/rate-limiter.js +276 -0
- package/dist/cve/rate-limiter.js.map +1 -0
- package/dist/cve/report-generator.d.ts +145 -0
- package/dist/cve/report-generator.d.ts.map +1 -0
- package/dist/cve/report-generator.js +377 -0
- package/dist/cve/report-generator.js.map +1 -0
- package/dist/cve/report-generator.test.d.ts +6 -0
- package/dist/cve/report-generator.test.d.ts.map +1 -0
- package/dist/cve/report-generator.test.js +275 -0
- package/dist/cve/report-generator.test.js.map +1 -0
- package/dist/cve/vulnerability-scanner.d.ts +198 -0
- package/dist/cve/vulnerability-scanner.d.ts.map +1 -0
- package/dist/cve/vulnerability-scanner.js +311 -0
- package/dist/cve/vulnerability-scanner.js.map +1 -0
- package/dist/cve/vulnerability-scanner.test.d.ts +6 -0
- package/dist/cve/vulnerability-scanner.test.d.ts.map +1 -0
- package/dist/cve/vulnerability-scanner.test.js +329 -0
- package/dist/cve/vulnerability-scanner.test.js.map +1 -0
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +4 -0
- package/dist/index.js.map +1 -1
- package/dist/rules/config/config-parser.d.ts +119 -0
- package/dist/rules/config/config-parser.d.ts.map +1 -0
- package/dist/rules/config/config-parser.js +376 -0
- package/dist/rules/config/config-parser.js.map +1 -0
- package/dist/rules/config/index.d.ts +8 -0
- package/dist/rules/config/index.d.ts.map +1 -0
- package/dist/rules/config/index.js +8 -0
- package/dist/rules/config/index.js.map +1 -0
- package/dist/rules/config/profiles.d.ts +85 -0
- package/dist/rules/config/profiles.d.ts.map +1 -0
- package/dist/rules/config/profiles.js +226 -0
- package/dist/rules/config/profiles.js.map +1 -0
- package/dist/rules/cwe/cwe-119-buffer-overflow.d.ts +9 -0
- package/dist/rules/cwe/cwe-119-buffer-overflow.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-119-buffer-overflow.js +54 -0
- package/dist/rules/cwe/cwe-119-buffer-overflow.js.map +1 -0
- package/dist/rules/cwe/cwe-125-oob-read.d.ts +20 -0
- package/dist/rules/cwe/cwe-125-oob-read.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-125-oob-read.js +247 -0
- package/dist/rules/cwe/cwe-125-oob-read.js.map +1 -0
- package/dist/rules/cwe/cwe-190-integer-overflow.d.ts +9 -0
- package/dist/rules/cwe/cwe-190-integer-overflow.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-190-integer-overflow.js +55 -0
- package/dist/rules/cwe/cwe-190-integer-overflow.js.map +1 -0
- package/dist/rules/cwe/cwe-20-input-validation.d.ts +21 -0
- package/dist/rules/cwe/cwe-20-input-validation.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-20-input-validation.js +342 -0
- package/dist/rules/cwe/cwe-20-input-validation.js.map +1 -0
- package/dist/rules/cwe/cwe-22-path-traversal.d.ts +20 -0
- package/dist/rules/cwe/cwe-22-path-traversal.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-22-path-traversal.js +306 -0
- package/dist/rules/cwe/cwe-22-path-traversal.js.map +1 -0
- package/dist/rules/cwe/cwe-269-improper-privilege.d.ts +9 -0
- package/dist/rules/cwe/cwe-269-improper-privilege.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-269-improper-privilege.js +58 -0
- package/dist/rules/cwe/cwe-269-improper-privilege.js.map +1 -0
- package/dist/rules/cwe/cwe-276-default-permissions.d.ts +9 -0
- package/dist/rules/cwe/cwe-276-default-permissions.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-276-default-permissions.js +54 -0
- package/dist/rules/cwe/cwe-276-default-permissions.js.map +1 -0
- package/dist/rules/cwe/cwe-287-improper-auth.d.ts +9 -0
- package/dist/rules/cwe/cwe-287-improper-auth.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-287-improper-auth.js +57 -0
- package/dist/rules/cwe/cwe-287-improper-auth.js.map +1 -0
- package/dist/rules/cwe/cwe-306-missing-auth-critical.d.ts +9 -0
- package/dist/rules/cwe/cwe-306-missing-auth-critical.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-306-missing-auth-critical.js +53 -0
- package/dist/rules/cwe/cwe-306-missing-auth-critical.js.map +1 -0
- package/dist/rules/cwe/cwe-352-csrf.d.ts +9 -0
- package/dist/rules/cwe/cwe-352-csrf.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-352-csrf.js +51 -0
- package/dist/rules/cwe/cwe-352-csrf.js.map +1 -0
- package/dist/rules/cwe/cwe-362-race-condition.d.ts +9 -0
- package/dist/rules/cwe/cwe-362-race-condition.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-362-race-condition.js +55 -0
- package/dist/rules/cwe/cwe-362-race-condition.js.map +1 -0
- package/dist/rules/cwe/cwe-416-use-after-free.d.ts +23 -0
- package/dist/rules/cwe/cwe-416-use-after-free.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-416-use-after-free.js +402 -0
- package/dist/rules/cwe/cwe-416-use-after-free.js.map +1 -0
- package/dist/rules/cwe/cwe-434-file-upload.d.ts +9 -0
- package/dist/rules/cwe/cwe-434-file-upload.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-434-file-upload.js +55 -0
- package/dist/rules/cwe/cwe-434-file-upload.js.map +1 -0
- package/dist/rules/cwe/cwe-476-null-deref.d.ts +9 -0
- package/dist/rules/cwe/cwe-476-null-deref.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-476-null-deref.js +55 -0
- package/dist/rules/cwe/cwe-476-null-deref.js.map +1 -0
- package/dist/rules/cwe/cwe-502-deserialization.d.ts +9 -0
- package/dist/rules/cwe/cwe-502-deserialization.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-502-deserialization.js +57 -0
- package/dist/rules/cwe/cwe-502-deserialization.js.map +1 -0
- package/dist/rules/cwe/cwe-77-command-injection.d.ts +9 -0
- package/dist/rules/cwe/cwe-77-command-injection.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-77-command-injection.js +55 -0
- package/dist/rules/cwe/cwe-77-command-injection.js.map +1 -0
- package/dist/rules/cwe/cwe-78-command-injection.d.ts +20 -0
- package/dist/rules/cwe/cwe-78-command-injection.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-78-command-injection.js +259 -0
- package/dist/rules/cwe/cwe-78-command-injection.js.map +1 -0
- package/dist/rules/cwe/cwe-787-oob-write.d.ts +21 -0
- package/dist/rules/cwe/cwe-787-oob-write.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-787-oob-write.js +321 -0
- package/dist/rules/cwe/cwe-787-oob-write.js.map +1 -0
- package/dist/rules/cwe/cwe-79-xss.d.ts +22 -0
- package/dist/rules/cwe/cwe-79-xss.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-79-xss.js +386 -0
- package/dist/rules/cwe/cwe-79-xss.js.map +1 -0
- package/dist/rules/cwe/cwe-798-hardcoded-credentials.d.ts +9 -0
- package/dist/rules/cwe/cwe-798-hardcoded-credentials.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-798-hardcoded-credentials.js +58 -0
- package/dist/rules/cwe/cwe-798-hardcoded-credentials.js.map +1 -0
- package/dist/rules/cwe/cwe-862-missing-auth.d.ts +9 -0
- package/dist/rules/cwe/cwe-862-missing-auth.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-862-missing-auth.js +55 -0
- package/dist/rules/cwe/cwe-862-missing-auth.js.map +1 -0
- package/dist/rules/cwe/cwe-863-incorrect-auth.d.ts +9 -0
- package/dist/rules/cwe/cwe-863-incorrect-auth.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-863-incorrect-auth.js +58 -0
- package/dist/rules/cwe/cwe-863-incorrect-auth.js.map +1 -0
- package/dist/rules/cwe/cwe-89-sql-injection.d.ts +21 -0
- package/dist/rules/cwe/cwe-89-sql-injection.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-89-sql-injection.js +456 -0
- package/dist/rules/cwe/cwe-89-sql-injection.js.map +1 -0
- package/dist/rules/cwe/cwe-918-ssrf.d.ts +9 -0
- package/dist/rules/cwe/cwe-918-ssrf.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-918-ssrf.js +59 -0
- package/dist/rules/cwe/cwe-918-ssrf.js.map +1 -0
- package/dist/rules/cwe/cwe-94-code-injection.d.ts +9 -0
- package/dist/rules/cwe/cwe-94-code-injection.d.ts.map +1 -0
- package/dist/rules/cwe/cwe-94-code-injection.js +59 -0
- package/dist/rules/cwe/cwe-94-code-injection.js.map +1 -0
- package/dist/rules/cwe/index.d.ts +43 -0
- package/dist/rules/cwe/index.d.ts.map +1 -0
- package/dist/rules/cwe/index.js +99 -0
- package/dist/rules/cwe/index.js.map +1 -0
- package/dist/rules/engine/index.d.ts +10 -0
- package/dist/rules/engine/index.d.ts.map +1 -0
- package/dist/rules/engine/index.js +9 -0
- package/dist/rules/engine/index.js.map +1 -0
- package/dist/rules/engine/rule-context.d.ts +99 -0
- package/dist/rules/engine/rule-context.d.ts.map +1 -0
- package/dist/rules/engine/rule-context.js +175 -0
- package/dist/rules/engine/rule-context.js.map +1 -0
- package/dist/rules/engine/rule-engine.d.ts +132 -0
- package/dist/rules/engine/rule-engine.d.ts.map +1 -0
- package/dist/rules/engine/rule-engine.js +379 -0
- package/dist/rules/engine/rule-engine.js.map +1 -0
- package/dist/rules/engine/rule-registry.d.ts +133 -0
- package/dist/rules/engine/rule-registry.d.ts.map +1 -0
- package/dist/rules/engine/rule-registry.js +281 -0
- package/dist/rules/engine/rule-registry.js.map +1 -0
- package/dist/rules/index.d.ts +14 -0
- package/dist/rules/index.d.ts.map +1 -0
- package/dist/rules/index.js +16 -0
- package/dist/rules/index.js.map +1 -0
- package/dist/rules/owasp/a01-broken-access-control.d.ts +19 -0
- package/dist/rules/owasp/a01-broken-access-control.d.ts.map +1 -0
- package/dist/rules/owasp/a01-broken-access-control.js +295 -0
- package/dist/rules/owasp/a01-broken-access-control.js.map +1 -0
- package/dist/rules/owasp/a02-cryptographic-failures.d.ts +19 -0
- package/dist/rules/owasp/a02-cryptographic-failures.d.ts.map +1 -0
- package/dist/rules/owasp/a02-cryptographic-failures.js +327 -0
- package/dist/rules/owasp/a02-cryptographic-failures.js.map +1 -0
- package/dist/rules/owasp/a03-injection.d.ts +21 -0
- package/dist/rules/owasp/a03-injection.d.ts.map +1 -0
- package/dist/rules/owasp/a03-injection.js +342 -0
- package/dist/rules/owasp/a03-injection.js.map +1 -0
- package/dist/rules/owasp/a04-insecure-design.d.ts +19 -0
- package/dist/rules/owasp/a04-insecure-design.d.ts.map +1 -0
- package/dist/rules/owasp/a04-insecure-design.js +403 -0
- package/dist/rules/owasp/a04-insecure-design.js.map +1 -0
- package/dist/rules/owasp/a05-security-misconfiguration.d.ts +19 -0
- package/dist/rules/owasp/a05-security-misconfiguration.d.ts.map +1 -0
- package/dist/rules/owasp/a05-security-misconfiguration.js +371 -0
- package/dist/rules/owasp/a05-security-misconfiguration.js.map +1 -0
- package/dist/rules/owasp/a06-vulnerable-components.d.ts +18 -0
- package/dist/rules/owasp/a06-vulnerable-components.d.ts.map +1 -0
- package/dist/rules/owasp/a06-vulnerable-components.js +243 -0
- package/dist/rules/owasp/a06-vulnerable-components.js.map +1 -0
- package/dist/rules/owasp/a07-auth-failures.d.ts +19 -0
- package/dist/rules/owasp/a07-auth-failures.d.ts.map +1 -0
- package/dist/rules/owasp/a07-auth-failures.js +300 -0
- package/dist/rules/owasp/a07-auth-failures.js.map +1 -0
- package/dist/rules/owasp/a08-integrity-failures.d.ts +18 -0
- package/dist/rules/owasp/a08-integrity-failures.d.ts.map +1 -0
- package/dist/rules/owasp/a08-integrity-failures.js +306 -0
- package/dist/rules/owasp/a08-integrity-failures.js.map +1 -0
- package/dist/rules/owasp/a09-logging-failures.d.ts +18 -0
- package/dist/rules/owasp/a09-logging-failures.d.ts.map +1 -0
- package/dist/rules/owasp/a09-logging-failures.js +339 -0
- package/dist/rules/owasp/a09-logging-failures.js.map +1 -0
- package/dist/rules/owasp/a10-ssrf.d.ts +18 -0
- package/dist/rules/owasp/a10-ssrf.d.ts.map +1 -0
- package/dist/rules/owasp/a10-ssrf.js +349 -0
- package/dist/rules/owasp/a10-ssrf.js.map +1 -0
- package/dist/rules/owasp/index.d.ts +20 -0
- package/dist/rules/owasp/index.d.ts.map +1 -0
- package/dist/rules/owasp/index.js +53 -0
- package/dist/rules/owasp/index.js.map +1 -0
- package/dist/rules/types.d.ts +277 -0
- package/dist/rules/types.d.ts.map +1 -0
- package/dist/rules/types.js +34 -0
- package/dist/rules/types.js.map +1 -0
- package/dist/tests/integration/epic-integration.test.d.ts +7 -0
- package/dist/tests/integration/epic-integration.test.d.ts.map +1 -0
- package/dist/tests/integration/epic-integration.test.js +390 -0
- package/dist/tests/integration/epic-integration.test.js.map +1 -0
- package/dist/tests/rules/cwe/cwe-top25-1-13.test.d.ts +2 -0
- package/dist/tests/rules/cwe/cwe-top25-1-13.test.d.ts.map +1 -0
- package/dist/tests/rules/cwe/cwe-top25-1-13.test.js +154 -0
- package/dist/tests/rules/cwe/cwe-top25-1-13.test.js.map +1 -0
- package/dist/tests/rules/cwe/cwe-top25-14-25.test.d.ts +2 -0
- package/dist/tests/rules/cwe/cwe-top25-14-25.test.d.ts.map +1 -0
- package/dist/tests/rules/cwe/cwe-top25-14-25.test.js +121 -0
- package/dist/tests/rules/cwe/cwe-top25-14-25.test.js.map +1 -0
- package/dist/types/cve.d.ts +278 -0
- package/dist/types/cve.d.ts.map +1 -0
- package/dist/types/cve.js +7 -0
- package/dist/types/cve.js.map +1 -0
- package/dist/types/index.d.ts +2 -0
- package/dist/types/index.d.ts.map +1 -1
- package/dist/types/rule.d.ts +245 -0
- package/dist/types/rule.d.ts.map +1 -0
- package/dist/types/rule.js +7 -0
- package/dist/types/rule.js.map +1 -0
- package/package.json +4 -4
|
@@ -0,0 +1,226 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Rule Profiles
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/config/profiles
|
|
4
|
+
* @trace TSK-RULE-002
|
|
5
|
+
*/
|
|
6
|
+
/**
|
|
7
|
+
* Minimal profile - Essential security checks only
|
|
8
|
+
* Best for: Quick scans, CI pipelines with time constraints
|
|
9
|
+
*/
|
|
10
|
+
export const PROFILE_MINIMAL = {
|
|
11
|
+
name: 'minimal',
|
|
12
|
+
description: 'Essential security checks - critical and high severity only',
|
|
13
|
+
severityThreshold: 'high',
|
|
14
|
+
enableTaintAnalysis: false,
|
|
15
|
+
enableDFG: false,
|
|
16
|
+
rules: [
|
|
17
|
+
// OWASP Top 10 - Critical
|
|
18
|
+
{ id: 'owasp-a01-broken-access-control' },
|
|
19
|
+
{ id: 'owasp-a03-injection' },
|
|
20
|
+
{ id: 'owasp-a07-auth-failures' },
|
|
21
|
+
// CWE Top 25 - Critical
|
|
22
|
+
{ id: 'cwe-79-xss' },
|
|
23
|
+
{ id: 'cwe-89-sql-injection' },
|
|
24
|
+
{ id: 'cwe-78-os-command-injection' },
|
|
25
|
+
{ id: 'cwe-22-path-traversal' },
|
|
26
|
+
{ id: 'cwe-798-hardcoded-credentials' },
|
|
27
|
+
{ id: 'cwe-287-improper-authentication' },
|
|
28
|
+
],
|
|
29
|
+
};
|
|
30
|
+
/**
|
|
31
|
+
* Standard profile - Balanced security coverage
|
|
32
|
+
* Best for: Regular development, PR checks
|
|
33
|
+
*/
|
|
34
|
+
export const PROFILE_STANDARD = {
|
|
35
|
+
name: 'standard',
|
|
36
|
+
description: 'Balanced security coverage - OWASP Top 10 + CWE Top 25',
|
|
37
|
+
severityThreshold: 'medium',
|
|
38
|
+
enableTaintAnalysis: true,
|
|
39
|
+
enableDFG: false,
|
|
40
|
+
rules: [
|
|
41
|
+
// All OWASP Top 10
|
|
42
|
+
{ id: 'owasp-a01-broken-access-control' },
|
|
43
|
+
{ id: 'owasp-a02-cryptographic-failures' },
|
|
44
|
+
{ id: 'owasp-a03-injection' },
|
|
45
|
+
{ id: 'owasp-a04-insecure-design' },
|
|
46
|
+
{ id: 'owasp-a05-security-misconfiguration' },
|
|
47
|
+
{ id: 'owasp-a06-vulnerable-components' },
|
|
48
|
+
{ id: 'owasp-a07-auth-failures' },
|
|
49
|
+
{ id: 'owasp-a08-integrity-failures' },
|
|
50
|
+
{ id: 'owasp-a09-logging-failures' },
|
|
51
|
+
{ id: 'owasp-a10-ssrf' },
|
|
52
|
+
// CWE Top 25
|
|
53
|
+
{ id: 'cwe-787-out-of-bounds-write' },
|
|
54
|
+
{ id: 'cwe-79-xss' },
|
|
55
|
+
{ id: 'cwe-89-sql-injection' },
|
|
56
|
+
{ id: 'cwe-416-use-after-free' },
|
|
57
|
+
{ id: 'cwe-78-os-command-injection' },
|
|
58
|
+
{ id: 'cwe-20-improper-input-validation' },
|
|
59
|
+
{ id: 'cwe-125-out-of-bounds-read' },
|
|
60
|
+
{ id: 'cwe-22-path-traversal' },
|
|
61
|
+
{ id: 'cwe-352-csrf' },
|
|
62
|
+
{ id: 'cwe-434-file-upload' },
|
|
63
|
+
{ id: 'cwe-862-missing-authorization' },
|
|
64
|
+
{ id: 'cwe-476-null-pointer' },
|
|
65
|
+
{ id: 'cwe-287-improper-authentication' },
|
|
66
|
+
{ id: 'cwe-190-integer-overflow' },
|
|
67
|
+
{ id: 'cwe-502-deserialization' },
|
|
68
|
+
{ id: 'cwe-77-command-injection' },
|
|
69
|
+
{ id: 'cwe-119-buffer-overflow' },
|
|
70
|
+
{ id: 'cwe-798-hardcoded-credentials' },
|
|
71
|
+
{ id: 'cwe-918-ssrf' },
|
|
72
|
+
{ id: 'cwe-306-missing-auth-critical' },
|
|
73
|
+
{ id: 'cwe-362-race-condition' },
|
|
74
|
+
{ id: 'cwe-269-improper-privilege' },
|
|
75
|
+
{ id: 'cwe-94-code-injection' },
|
|
76
|
+
{ id: 'cwe-863-incorrect-authorization' },
|
|
77
|
+
{ id: 'cwe-276-incorrect-permissions' },
|
|
78
|
+
],
|
|
79
|
+
};
|
|
80
|
+
/**
|
|
81
|
+
* Strict profile - Comprehensive security analysis
|
|
82
|
+
* Best for: Security audits, pre-release checks
|
|
83
|
+
*/
|
|
84
|
+
export const PROFILE_STRICT = {
|
|
85
|
+
name: 'strict',
|
|
86
|
+
description: 'Comprehensive security analysis - all rules enabled',
|
|
87
|
+
severityThreshold: 'info',
|
|
88
|
+
enableTaintAnalysis: true,
|
|
89
|
+
enableDFG: true,
|
|
90
|
+
rules: [
|
|
91
|
+
// All rules from standard profile
|
|
92
|
+
...PROFILE_STANDARD.rules,
|
|
93
|
+
// Additional low-priority rules
|
|
94
|
+
{ id: 'cwe-200-information-exposure' },
|
|
95
|
+
{ id: 'cwe-611-xxe' },
|
|
96
|
+
{ id: 'cwe-1321-prototype-pollution' },
|
|
97
|
+
{ id: 'cwe-400-uncontrolled-resource' },
|
|
98
|
+
{ id: 'cwe-601-open-redirect' },
|
|
99
|
+
{ id: 'cwe-522-weak-credentials' },
|
|
100
|
+
{ id: 'cwe-732-incorrect-permission' },
|
|
101
|
+
{ id: 'cwe-295-improper-cert-validation' },
|
|
102
|
+
{ id: 'cwe-327-broken-crypto' },
|
|
103
|
+
{ id: 'cwe-330-insufficient-randomness' },
|
|
104
|
+
],
|
|
105
|
+
};
|
|
106
|
+
/**
|
|
107
|
+
* OWASP-only profile - OWASP Top 10 focus
|
|
108
|
+
*/
|
|
109
|
+
export const PROFILE_OWASP = {
|
|
110
|
+
name: 'owasp',
|
|
111
|
+
description: 'OWASP Top 10 2021 focused analysis',
|
|
112
|
+
severityThreshold: 'medium',
|
|
113
|
+
enableTaintAnalysis: true,
|
|
114
|
+
enableDFG: false,
|
|
115
|
+
rules: [
|
|
116
|
+
{ id: 'owasp-a01-broken-access-control' },
|
|
117
|
+
{ id: 'owasp-a02-cryptographic-failures' },
|
|
118
|
+
{ id: 'owasp-a03-injection' },
|
|
119
|
+
{ id: 'owasp-a04-insecure-design' },
|
|
120
|
+
{ id: 'owasp-a05-security-misconfiguration' },
|
|
121
|
+
{ id: 'owasp-a06-vulnerable-components' },
|
|
122
|
+
{ id: 'owasp-a07-auth-failures' },
|
|
123
|
+
{ id: 'owasp-a08-integrity-failures' },
|
|
124
|
+
{ id: 'owasp-a09-logging-failures' },
|
|
125
|
+
{ id: 'owasp-a10-ssrf' },
|
|
126
|
+
],
|
|
127
|
+
};
|
|
128
|
+
/**
|
|
129
|
+
* CWE-only profile - CWE Top 25 focus
|
|
130
|
+
*/
|
|
131
|
+
export const PROFILE_CWE = {
|
|
132
|
+
name: 'cwe',
|
|
133
|
+
description: 'CWE Top 25 2023 focused analysis',
|
|
134
|
+
severityThreshold: 'medium',
|
|
135
|
+
enableTaintAnalysis: true,
|
|
136
|
+
enableDFG: false,
|
|
137
|
+
rules: [
|
|
138
|
+
{ id: 'cwe-787-out-of-bounds-write' },
|
|
139
|
+
{ id: 'cwe-79-xss' },
|
|
140
|
+
{ id: 'cwe-89-sql-injection' },
|
|
141
|
+
{ id: 'cwe-416-use-after-free' },
|
|
142
|
+
{ id: 'cwe-78-os-command-injection' },
|
|
143
|
+
{ id: 'cwe-20-improper-input-validation' },
|
|
144
|
+
{ id: 'cwe-125-out-of-bounds-read' },
|
|
145
|
+
{ id: 'cwe-22-path-traversal' },
|
|
146
|
+
{ id: 'cwe-352-csrf' },
|
|
147
|
+
{ id: 'cwe-434-file-upload' },
|
|
148
|
+
{ id: 'cwe-862-missing-authorization' },
|
|
149
|
+
{ id: 'cwe-476-null-pointer' },
|
|
150
|
+
{ id: 'cwe-287-improper-authentication' },
|
|
151
|
+
{ id: 'cwe-190-integer-overflow' },
|
|
152
|
+
{ id: 'cwe-502-deserialization' },
|
|
153
|
+
{ id: 'cwe-77-command-injection' },
|
|
154
|
+
{ id: 'cwe-119-buffer-overflow' },
|
|
155
|
+
{ id: 'cwe-798-hardcoded-credentials' },
|
|
156
|
+
{ id: 'cwe-918-ssrf' },
|
|
157
|
+
{ id: 'cwe-306-missing-auth-critical' },
|
|
158
|
+
{ id: 'cwe-362-race-condition' },
|
|
159
|
+
{ id: 'cwe-269-improper-privilege' },
|
|
160
|
+
{ id: 'cwe-94-code-injection' },
|
|
161
|
+
{ id: 'cwe-863-incorrect-authorization' },
|
|
162
|
+
{ id: 'cwe-276-incorrect-permissions' },
|
|
163
|
+
],
|
|
164
|
+
};
|
|
165
|
+
/**
|
|
166
|
+
* All available profiles
|
|
167
|
+
*/
|
|
168
|
+
export const PROFILES = {
|
|
169
|
+
minimal: PROFILE_MINIMAL,
|
|
170
|
+
standard: PROFILE_STANDARD,
|
|
171
|
+
strict: PROFILE_STRICT,
|
|
172
|
+
owasp: PROFILE_OWASP,
|
|
173
|
+
cwe: PROFILE_CWE,
|
|
174
|
+
};
|
|
175
|
+
/**
|
|
176
|
+
* Get profile by name
|
|
177
|
+
*/
|
|
178
|
+
export function getProfile(name) {
|
|
179
|
+
return PROFILES[name.toLowerCase()];
|
|
180
|
+
}
|
|
181
|
+
/**
|
|
182
|
+
* Get all profile names
|
|
183
|
+
*/
|
|
184
|
+
export function getProfileNames() {
|
|
185
|
+
return Object.keys(PROFILES);
|
|
186
|
+
}
|
|
187
|
+
/**
|
|
188
|
+
* Check if profile exists
|
|
189
|
+
*/
|
|
190
|
+
export function hasProfile(name) {
|
|
191
|
+
return name.toLowerCase() in PROFILES;
|
|
192
|
+
}
|
|
193
|
+
/**
|
|
194
|
+
* Get rule IDs from profile
|
|
195
|
+
*/
|
|
196
|
+
export function getProfileRuleIds(profileName) {
|
|
197
|
+
const profile = getProfile(profileName);
|
|
198
|
+
if (!profile)
|
|
199
|
+
return [];
|
|
200
|
+
return profile.rules.map(r => r.id);
|
|
201
|
+
}
|
|
202
|
+
/**
|
|
203
|
+
* Merge profile with custom config
|
|
204
|
+
*/
|
|
205
|
+
export function mergeProfileConfig(profileName, customRules = {}) {
|
|
206
|
+
const profile = getProfile(profileName);
|
|
207
|
+
if (!profile)
|
|
208
|
+
return [];
|
|
209
|
+
const merged = new Map();
|
|
210
|
+
// Add profile rules
|
|
211
|
+
for (const rule of profile.rules) {
|
|
212
|
+
merged.set(rule.id, { ...rule });
|
|
213
|
+
}
|
|
214
|
+
// Apply custom overrides
|
|
215
|
+
for (const [ruleId, config] of Object.entries(customRules)) {
|
|
216
|
+
const existing = merged.get(ruleId);
|
|
217
|
+
if (existing) {
|
|
218
|
+
merged.set(ruleId, { ...existing, ...config });
|
|
219
|
+
}
|
|
220
|
+
else if (config.enabled !== false) {
|
|
221
|
+
merged.set(ruleId, { id: ruleId, ...config });
|
|
222
|
+
}
|
|
223
|
+
}
|
|
224
|
+
return Array.from(merged.values());
|
|
225
|
+
}
|
|
226
|
+
//# sourceMappingURL=profiles.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"profiles.js","sourceRoot":"","sources":["../../../src/rules/config/profiles.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAkCH;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAgB;IAC1C,IAAI,EAAE,SAAS;IACf,WAAW,EAAE,6DAA6D;IAC1E,iBAAiB,EAAE,MAAM;IACzB,mBAAmB,EAAE,KAAK;IAC1B,SAAS,EAAE,KAAK;IAChB,KAAK,EAAE;QACL,0BAA0B;QAC1B,EAAE,EAAE,EAAE,iCAAiC,EAAE;QACzC,EAAE,EAAE,EAAE,qBAAqB,EAAE;QAC7B,EAAE,EAAE,EAAE,yBAAyB,EAAE;QACjC,wBAAwB;QACxB,EAAE,EAAE,EAAE,YAAY,EAAE;QACpB,EAAE,EAAE,EAAE,sBAAsB,EAAE;QAC9B,EAAE,EAAE,EAAE,6BAA6B,EAAE;QACrC,EAAE,EAAE,EAAE,uBAAuB,EAAE;QAC/B,EAAE,EAAE,EAAE,+BAA+B,EAAE;QACvC,EAAE,EAAE,EAAE,iCAAiC,EAAE;KAC1C;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAgB;IAC3C,IAAI,EAAE,UAAU;IAChB,WAAW,EAAE,wDAAwD;IACrE,iBAAiB,EAAE,QAAQ;IAC3B,mBAAmB,EAAE,IAAI;IACzB,SAAS,EAAE,KAAK;IAChB,KAAK,EAAE;QACL,mBAAmB;QACnB,EAAE,EAAE,EAAE,iCAAiC,EAAE;QACzC,EAAE,EAAE,EAAE,kCAAkC,EAAE;QAC1C,EAAE,EAAE,EAAE,qBAAqB,EAAE;QAC7B,EAAE,EAAE,EAAE,2BAA2B,EAAE;QACnC,EAAE,EAAE,EAAE,qCAAqC,EAAE;QAC7C,EAAE,EAAE,EAAE,iCAAiC,EAAE;QACzC,EAAE,EAAE,EAAE,yBAAyB,EAAE;QACjC,EAAE,EAAE,EAAE,8BAA8B,EAAE;QACtC,EAAE,EAAE,EAAE,4BAA4B,EAAE;QACpC,EAAE,EAAE,EAAE,gBAAgB,EAAE;QACxB,aAAa;QACb,EAAE,EAAE,EAAE,6BAA6B,EAAE;QACrC,EAAE,EAAE,EAAE,YAAY,EAAE;QACpB,EAAE,EAAE,EAAE,sBAAsB,EAAE;QAC9B,EAAE,EAAE,EAAE,wBAAwB,EAAE;QAChC,EAAE,EAAE,EAAE,6BAA6B,EAAE;QACrC,EAAE,EAAE,EAAE,kCAAkC,EAAE;QAC1C,EAAE,EAAE,EAAE,4BAA4B,EAAE;QACpC,EAAE,EAAE,EAAE,uBAAuB,EAAE;QAC/B,EAAE,EAAE,EAAE,cAAc,EAAE;QACtB,EAAE,EAAE,EAAE,qBAAqB,EAAE;QAC7B,EAAE,EAAE,EAAE,+BAA+B,EAAE;QACvC,EAAE,EAAE,EAAE,sBAAsB,EAAE;QAC9B,EAAE,EAAE,EAAE,iCAAiC,EAAE;QACzC,EAAE,EAAE,EAAE,0BAA0B,EAAE;QAClC,EAAE,EAAE,EAAE,yBAAyB,EAAE;QACjC,EAAE,EAAE,EAAE,0BAA0B,EAAE;QAClC,EAAE,EAAE,EAAE,yBAAyB,EAAE;QACjC,EAAE,EAAE,EAAE,+BAA+B,EAAE;QACvC,EAAE,EAAE,EAAE,cAAc,EAAE;QACtB,EAAE,EAAE,EAAE,+BAA+B,EAAE;QACvC,EAAE,EAAE,EAAE,wBAAwB,EAAE;QAChC,EAAE,EAAE,EAAE,4BAA4B,EAAE;QACpC,EAAE,EAAE,EAAE,uBAAuB,EAAE;QAC/B,EAAE,EAAE,EAAE,iCAAiC,EAAE;QACzC,EAAE,EAAE,EAAE,+BAA+B,EAAE;KACxC;CACF,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAgB;IACzC,IAAI,EAAE,QAAQ;IACd,WAAW,EAAE,qDAAqD;IAClE,iBAAiB,EAAE,MAAM;IACzB,mBAAmB,EAAE,IAAI;IACzB,SAAS,EAAE,IAAI;IACf,KAAK,EAAE;QACL,kCAAkC;QAClC,GAAG,gBAAgB,CAAC,KAAK;QACzB,gCAAgC;QAChC,EAAE,EAAE,EAAE,8BAA8B,EAAE;QACtC,EAAE,EAAE,EAAE,aAAa,EAAE;QACrB,EAAE,EAAE,EAAE,8BAA8B,EAAE;QACtC,EAAE,EAAE,EAAE,+BAA+B,EAAE;QACvC,EAAE,EAAE,EAAE,uBAAuB,EAAE;QAC/B,EAAE,EAAE,EAAE,0BAA0B,EAAE;QAClC,EAAE,EAAE,EAAE,8BAA8B,EAAE;QACtC,EAAE,EAAE,EAAE,kCAAkC,EAAE;QAC1C,EAAE,EAAE,EAAE,uBAAuB,EAAE;QAC/B,EAAE,EAAE,EAAE,iCAAiC,EAAE;KAC1C;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAgB;IACxC,IAAI,EAAE,OAAO;IACb,WAAW,EAAE,oCAAoC;IACjD,iBAAiB,EAAE,QAAQ;IAC3B,mBAAmB,EAAE,IAAI;IACzB,SAAS,EAAE,KAAK;IAChB,KAAK,EAAE;QACL,EAAE,EAAE,EAAE,iCAAiC,EAAE;QACzC,EAAE,EAAE,EAAE,kCAAkC,EAAE;QAC1C,EAAE,EAAE,EAAE,qBAAqB,EAAE;QAC7B,EAAE,EAAE,EAAE,2BAA2B,EAAE;QACnC,EAAE,EAAE,EAAE,qCAAqC,EAAE;QAC7C,EAAE,EAAE,EAAE,iCAAiC,EAAE;QACzC,EAAE,EAAE,EAAE,yBAAyB,EAAE;QACjC,EAAE,EAAE,EAAE,8BAA8B,EAAE;QACtC,EAAE,EAAE,EAAE,4BAA4B,EAAE;QACpC,EAAE,EAAE,EAAE,gBAAgB,EAAE;KACzB;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,WAAW,GAAgB;IACtC,IAAI,EAAE,KAAK;IACX,WAAW,EAAE,kCAAkC;IAC/C,iBAAiB,EAAE,QAAQ;IAC3B,mBAAmB,EAAE,IAAI;IACzB,SAAS,EAAE,KAAK;IAChB,KAAK,EAAE;QACL,EAAE,EAAE,EAAE,6BAA6B,EAAE;QACrC,EAAE,EAAE,EAAE,YAAY,EAAE;QACpB,EAAE,EAAE,EAAE,sBAAsB,EAAE;QAC9B,EAAE,EAAE,EAAE,wBAAwB,EAAE;QAChC,EAAE,EAAE,EAAE,6BAA6B,EAAE;QACrC,EAAE,EAAE,EAAE,kCAAkC,EAAE;QAC1C,EAAE,EAAE,EAAE,4BAA4B,EAAE;QACpC,EAAE,EAAE,EAAE,uBAAuB,EAAE;QAC/B,EAAE,EAAE,EAAE,cAAc,EAAE;QACtB,EAAE,EAAE,EAAE,qBAAqB,EAAE;QAC7B,EAAE,EAAE,EAAE,+BAA+B,EAAE;QACvC,EAAE,EAAE,EAAE,sBAAsB,EAAE;QAC9B,EAAE,EAAE,EAAE,iCAAiC,EAAE;QACzC,EAAE,EAAE,EAAE,0BAA0B,EAAE;QAClC,EAAE,EAAE,EAAE,yBAAyB,EAAE;QACjC,EAAE,EAAE,EAAE,0BAA0B,EAAE;QAClC,EAAE,EAAE,EAAE,yBAAyB,EAAE;QACjC,EAAE,EAAE,EAAE,+BAA+B,EAAE;QACvC,EAAE,EAAE,EAAE,cAAc,EAAE;QACtB,EAAE,EAAE,EAAE,+BAA+B,EAAE;QACvC,EAAE,EAAE,EAAE,wBAAwB,EAAE;QAChC,EAAE,EAAE,EAAE,4BAA4B,EAAE;QACpC,EAAE,EAAE,EAAE,uBAAuB,EAAE;QAC/B,EAAE,EAAE,EAAE,iCAAiC,EAAE;QACzC,EAAE,EAAE,EAAE,+BAA+B,EAAE;KACxC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,QAAQ,GAAgC;IACnD,OAAO,EAAE,eAAe;IACxB,QAAQ,EAAE,gBAAgB;IAC1B,MAAM,EAAE,cAAc;IACtB,KAAK,EAAE,aAAa;IACpB,GAAG,EAAE,WAAW;CACjB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,OAAO,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe;IAC7B,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,OAAO,IAAI,CAAC,WAAW,EAAE,IAAI,QAAQ,CAAC;AACxC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAAmB;IACnD,MAAM,OAAO,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IACxB,OAAO,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,WAAmB,EACnB,cAA8E,EAAE;IAEhF,MAAM,OAAO,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;IACxC,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,CAAC;IAExB,MAAM,MAAM,GAAG,IAAI,GAAG,EAA6B,CAAC;IAEpD,oBAAoB;IACpB,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QACjC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;IACnC,CAAC;IAED,yBAAyB;IACzB,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAC3D,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACpC,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,GAAG,QAAQ,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC;QACjD,CAAC;aAAM,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YACpC,MAAM,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;AACrC,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-119: Improper Restriction of Operations within Bounds of Memory Buffer
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-119-buffer-overflow
|
|
4
|
+
* @trace TSK-RULE-006
|
|
5
|
+
*/
|
|
6
|
+
import type { SecurityRule } from '../types.js';
|
|
7
|
+
export declare const cwe119BufferOverflow: SecurityRule;
|
|
8
|
+
export default cwe119BufferOverflow;
|
|
9
|
+
//# sourceMappingURL=cwe-119-buffer-overflow.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-119-buffer-overflow.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-119-buffer-overflow.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,oBAAoB,EAAE,YAiDlC,CAAC;AAEF,eAAe,oBAAoB,CAAC"}
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-119: Improper Restriction of Operations within Bounds of Memory Buffer
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-119-buffer-overflow
|
|
4
|
+
* @trace TSK-RULE-006
|
|
5
|
+
*/
|
|
6
|
+
export const cwe119BufferOverflow = {
|
|
7
|
+
id: 'cwe-119-buffer-overflow',
|
|
8
|
+
name: 'CWE-119: Buffer Overflow',
|
|
9
|
+
description: 'Detects improper buffer boundary operations',
|
|
10
|
+
defaultSeverity: 'high',
|
|
11
|
+
category: 'memory-safety',
|
|
12
|
+
tags: ['cwe', 'buffer', 'memory', 'security'],
|
|
13
|
+
cwe: ['119'],
|
|
14
|
+
references: [
|
|
15
|
+
{ title: 'CWE-119', url: 'https://cwe.mitre.org/data/definitions/119.html' },
|
|
16
|
+
],
|
|
17
|
+
async analyze(context) {
|
|
18
|
+
const findings = [];
|
|
19
|
+
const lines = context.sourceCode.split('\n');
|
|
20
|
+
const patterns = [
|
|
21
|
+
{ pattern: /Buffer\.from\s*\([^)]+\)\.copy\s*\(/gi, type: 'Buffer copy without bounds', severity: 'high' },
|
|
22
|
+
{ pattern: /\.slice\s*\(\s*\w+\s*,\s*\w+\s*\)/gi, type: 'Dynamic slice bounds', severity: 'medium' },
|
|
23
|
+
{ pattern: /new\s+ArrayBuffer\s*\(\s*\w+\s*\)/gi, type: 'Dynamic ArrayBuffer size', severity: 'medium' },
|
|
24
|
+
{ pattern: /\.set\s*\([^)]+,\s*\w+\s*\)/gi, type: 'TypedArray set with offset', severity: 'medium' },
|
|
25
|
+
{ pattern: /memcpy|memmove|strcpy|strcat/gi, type: 'C-style memory function', severity: 'critical' },
|
|
26
|
+
{ pattern: /\.subarray\s*\(\s*-/gi, type: 'Negative subarray index', severity: 'high' },
|
|
27
|
+
];
|
|
28
|
+
for (let i = 0; i < lines.length; i++) {
|
|
29
|
+
for (const { pattern, type, severity } of patterns) {
|
|
30
|
+
pattern.lastIndex = 0;
|
|
31
|
+
if (pattern.test(lines[i])) {
|
|
32
|
+
findings.push({
|
|
33
|
+
id: `cwe-119-${findings.length + 1}`,
|
|
34
|
+
ruleId: 'cwe-119-buffer-overflow',
|
|
35
|
+
severity,
|
|
36
|
+
message: `Buffer Overflow - ${type}: Validate buffer boundaries`,
|
|
37
|
+
location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
|
|
38
|
+
cwe: ['119'],
|
|
39
|
+
suggestion: {
|
|
40
|
+
description: 'Always validate buffer bounds before operations',
|
|
41
|
+
example: `// Validate bounds before copy
|
|
42
|
+
if (offset + length <= buffer.length) {
|
|
43
|
+
source.copy(buffer, offset, 0, length);
|
|
44
|
+
}`,
|
|
45
|
+
},
|
|
46
|
+
});
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
return findings;
|
|
51
|
+
},
|
|
52
|
+
};
|
|
53
|
+
export default cwe119BufferOverflow;
|
|
54
|
+
//# sourceMappingURL=cwe-119-buffer-overflow.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-119-buffer-overflow.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-119-buffer-overflow.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,MAAM,CAAC,MAAM,oBAAoB,GAAiB;IAChD,EAAE,EAAE,yBAAyB;IAC7B,IAAI,EAAE,0BAA0B;IAChC,WAAW,EAAE,6CAA6C;IAC1D,eAAe,EAAE,MAAM;IACvB,QAAQ,EAAE,eAAe;IACzB,IAAI,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,CAAC;IAC7C,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,UAAU,EAAE;QACV,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,iDAAiD,EAAE;KAC7E;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,KAAK,GAAG,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE7C,MAAM,QAAQ,GAAG;YACf,EAAE,OAAO,EAAE,uCAAuC,EAAE,IAAI,EAAE,4BAA4B,EAAE,QAAQ,EAAE,MAAe,EAAE;YACnH,EAAE,OAAO,EAAE,qCAAqC,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,QAAiB,EAAE;YAC7G,EAAE,OAAO,EAAE,qCAAqC,EAAE,IAAI,EAAE,0BAA0B,EAAE,QAAQ,EAAE,QAAiB,EAAE;YACjH,EAAE,OAAO,EAAE,+BAA+B,EAAE,IAAI,EAAE,4BAA4B,EAAE,QAAQ,EAAE,QAAiB,EAAE;YAC7G,EAAE,OAAO,EAAE,gCAAgC,EAAE,IAAI,EAAE,yBAAyB,EAAE,QAAQ,EAAE,UAAmB,EAAE;YAC7G,EAAE,OAAO,EAAE,uBAAuB,EAAE,IAAI,EAAE,yBAAyB,EAAE,QAAQ,EAAE,MAAe,EAAE;SACjG,CAAC;QAEF,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,QAAQ,EAAE,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3B,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,WAAW,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBACpC,MAAM,EAAE,yBAAyB;wBACjC,QAAQ;wBACR,OAAO,EAAE,qBAAqB,IAAI,8BAA8B;wBAChE,QAAQ,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,CAAC,GAAG,CAAC,EAAE;wBACtE,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,UAAU,EAAE;4BACV,WAAW,EAAE,iDAAiD;4BAC9D,OAAO,EAAE;;;EAGrB;yBACW;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,oBAAoB,CAAC"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-125: Out-of-bounds Read
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-125-oob-read
|
|
4
|
+
* @trace TSK-RULE-005
|
|
5
|
+
*
|
|
6
|
+
* Detects:
|
|
7
|
+
* - Buffer read beyond bounds
|
|
8
|
+
* - Array access with unchecked index
|
|
9
|
+
* - String operations with invalid offsets
|
|
10
|
+
* - TypedArray read violations
|
|
11
|
+
*
|
|
12
|
+
* CWE-125 is #7 in CWE Top 25 2023.
|
|
13
|
+
*/
|
|
14
|
+
import type { SecurityRule } from '../types.js';
|
|
15
|
+
/**
|
|
16
|
+
* CWE-125 - Out-of-bounds Read
|
|
17
|
+
*/
|
|
18
|
+
export declare const cwe125OutOfBoundsRead: SecurityRule;
|
|
19
|
+
export default cwe125OutOfBoundsRead;
|
|
20
|
+
//# sourceMappingURL=cwe-125-oob-read.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-125-oob-read.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-125-oob-read.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E;;GAEG;AACH,eAAO,MAAM,qBAAqB,EAAE,YA0BnC,CAAC;AAwOF,eAAe,qBAAqB,CAAC"}
|
|
@@ -0,0 +1,247 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-125: Out-of-bounds Read
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-125-oob-read
|
|
4
|
+
* @trace TSK-RULE-005
|
|
5
|
+
*
|
|
6
|
+
* Detects:
|
|
7
|
+
* - Buffer read beyond bounds
|
|
8
|
+
* - Array access with unchecked index
|
|
9
|
+
* - String operations with invalid offsets
|
|
10
|
+
* - TypedArray read violations
|
|
11
|
+
*
|
|
12
|
+
* CWE-125 is #7 in CWE Top 25 2023.
|
|
13
|
+
*/
|
|
14
|
+
/**
|
|
15
|
+
* CWE-125 - Out-of-bounds Read
|
|
16
|
+
*/
|
|
17
|
+
export const cwe125OutOfBoundsRead = {
|
|
18
|
+
id: 'cwe-125-oob-read',
|
|
19
|
+
name: 'CWE-125: Out-of-bounds Read',
|
|
20
|
+
description: 'Detects potential out-of-bounds read vulnerabilities',
|
|
21
|
+
defaultSeverity: 'medium',
|
|
22
|
+
category: 'memory-safety',
|
|
23
|
+
tags: ['cwe', 'memory', 'buffer', 'array', 'security'],
|
|
24
|
+
cwe: ['125'],
|
|
25
|
+
references: [
|
|
26
|
+
{
|
|
27
|
+
title: 'CWE-125: Out-of-bounds Read',
|
|
28
|
+
url: 'https://cwe.mitre.org/data/definitions/125.html',
|
|
29
|
+
},
|
|
30
|
+
],
|
|
31
|
+
async analyze(context) {
|
|
32
|
+
const findings = [];
|
|
33
|
+
const sourceCode = context.sourceCode;
|
|
34
|
+
checkBufferReadPatterns(context, sourceCode, findings);
|
|
35
|
+
checkArrayReadPatterns(context, sourceCode, findings);
|
|
36
|
+
checkStringReadPatterns(context, sourceCode, findings);
|
|
37
|
+
return findings;
|
|
38
|
+
},
|
|
39
|
+
};
|
|
40
|
+
/**
|
|
41
|
+
* Check for buffer read patterns
|
|
42
|
+
*/
|
|
43
|
+
function checkBufferReadPatterns(context, sourceCode, findings) {
|
|
44
|
+
const lines = sourceCode.split('\n');
|
|
45
|
+
const bufferPatterns = [
|
|
46
|
+
{
|
|
47
|
+
pattern: /\.read(?:UInt|Int)(?:8|16|32)(?:BE|LE)?\s*\(\s*(?:\w+|[^)]+)\s*\)/gi,
|
|
48
|
+
type: 'Buffer typed read with dynamic offset',
|
|
49
|
+
message: 'Buffer read with dynamic offset needs bounds checking',
|
|
50
|
+
severity: 'medium',
|
|
51
|
+
},
|
|
52
|
+
{
|
|
53
|
+
pattern: /\.readBigInt64(?:BE|LE)?\s*\(\s*\w+\s*\)/gi,
|
|
54
|
+
type: 'Buffer BigInt read',
|
|
55
|
+
message: 'BigInt buffer read with variable offset needs validation',
|
|
56
|
+
severity: 'medium',
|
|
57
|
+
},
|
|
58
|
+
{
|
|
59
|
+
pattern: /\.slice\s*\(\s*(?:\w+|\d+)\s*,\s*(?:\w+|\d+)\s*\)/gi,
|
|
60
|
+
type: 'Buffer/Array slice with dynamic bounds',
|
|
61
|
+
message: 'Slice with dynamic bounds may read beyond buffer',
|
|
62
|
+
severity: 'low',
|
|
63
|
+
},
|
|
64
|
+
{
|
|
65
|
+
pattern: /\.subarray\s*\(\s*(?:\w+)\s*(?:,\s*\w+)?\s*\)/gi,
|
|
66
|
+
type: 'Subarray with dynamic offset',
|
|
67
|
+
message: 'Subarray with dynamic offset may exceed bounds',
|
|
68
|
+
severity: 'low',
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
pattern: /\.toString\s*\(\s*['"`]\w+['"`]\s*,\s*\w+\s*,\s*\w+\s*\)/gi,
|
|
72
|
+
type: 'Buffer toString with dynamic range',
|
|
73
|
+
message: 'Buffer toString with dynamic range needs validation',
|
|
74
|
+
severity: 'low',
|
|
75
|
+
},
|
|
76
|
+
];
|
|
77
|
+
for (let lineNum = 0; lineNum < lines.length; lineNum++) {
|
|
78
|
+
const line = lines[lineNum];
|
|
79
|
+
for (const { pattern, type, message, severity } of bufferPatterns) {
|
|
80
|
+
pattern.lastIndex = 0;
|
|
81
|
+
if (pattern.test(line)) {
|
|
82
|
+
findings.push({
|
|
83
|
+
id: `cwe-125-buffer-${findings.length + 1}`,
|
|
84
|
+
ruleId: 'cwe-125-oob-read',
|
|
85
|
+
severity,
|
|
86
|
+
message: `Out-of-bounds Read - ${type}: ${message}`,
|
|
87
|
+
location: {
|
|
88
|
+
file: context.filePath,
|
|
89
|
+
startLine: lineNum + 1,
|
|
90
|
+
endLine: lineNum + 1,
|
|
91
|
+
startColumn: 0,
|
|
92
|
+
endColumn: line.length,
|
|
93
|
+
},
|
|
94
|
+
cwe: ['125'],
|
|
95
|
+
suggestion: {
|
|
96
|
+
description: 'Validate offset and length before buffer read',
|
|
97
|
+
example: `// Check bounds before reading
|
|
98
|
+
if (offset >= 0 && offset + 4 <= buffer.length) {
|
|
99
|
+
const value = buffer.readInt32LE(offset);
|
|
100
|
+
}
|
|
101
|
+
|
|
102
|
+
// Safe slice
|
|
103
|
+
const safeEnd = Math.min(end, buffer.length);
|
|
104
|
+
const slice = buffer.slice(start, safeEnd);`,
|
|
105
|
+
},
|
|
106
|
+
});
|
|
107
|
+
}
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
/**
|
|
112
|
+
* Check for array read patterns
|
|
113
|
+
*/
|
|
114
|
+
function checkArrayReadPatterns(context, sourceCode, findings) {
|
|
115
|
+
const lines = sourceCode.split('\n');
|
|
116
|
+
const arrayPatterns = [
|
|
117
|
+
{
|
|
118
|
+
pattern: /\[\s*(?:req\.|params\.|query\.|body\.)\w+\s*\]/gi,
|
|
119
|
+
type: 'Array access with user-controlled index',
|
|
120
|
+
message: 'User-controlled array index may cause out-of-bounds read',
|
|
121
|
+
severity: 'medium',
|
|
122
|
+
},
|
|
123
|
+
{
|
|
124
|
+
pattern: /\[\s*\w+\s*-\s*\d+\s*\]/gi,
|
|
125
|
+
type: 'Array access with subtraction',
|
|
126
|
+
message: 'Array index subtraction may result in negative index',
|
|
127
|
+
severity: 'low',
|
|
128
|
+
},
|
|
129
|
+
{
|
|
130
|
+
pattern: /\.at\s*\(\s*-?\d+\s*\)/gi,
|
|
131
|
+
type: 'Array.at usage',
|
|
132
|
+
message: 'Array.at returns undefined for out-of-bounds, verify handling',
|
|
133
|
+
severity: 'info',
|
|
134
|
+
},
|
|
135
|
+
{
|
|
136
|
+
pattern: /for\s*\([^)]*<\s*\w+\.length\s*\+\s*\d+/gi,
|
|
137
|
+
type: 'Loop beyond array length',
|
|
138
|
+
message: 'Loop condition exceeds array length',
|
|
139
|
+
severity: 'medium',
|
|
140
|
+
},
|
|
141
|
+
];
|
|
142
|
+
for (let lineNum = 0; lineNum < lines.length; lineNum++) {
|
|
143
|
+
const line = lines[lineNum];
|
|
144
|
+
for (const { pattern, type, message, severity } of arrayPatterns) {
|
|
145
|
+
pattern.lastIndex = 0;
|
|
146
|
+
if (pattern.test(line)) {
|
|
147
|
+
findings.push({
|
|
148
|
+
id: `cwe-125-array-${findings.length + 1}`,
|
|
149
|
+
ruleId: 'cwe-125-oob-read',
|
|
150
|
+
severity,
|
|
151
|
+
message: `Out-of-bounds Read - ${type}: ${message}`,
|
|
152
|
+
location: {
|
|
153
|
+
file: context.filePath,
|
|
154
|
+
startLine: lineNum + 1,
|
|
155
|
+
endLine: lineNum + 1,
|
|
156
|
+
startColumn: 0,
|
|
157
|
+
endColumn: line.length,
|
|
158
|
+
},
|
|
159
|
+
cwe: ['125'],
|
|
160
|
+
suggestion: {
|
|
161
|
+
description: 'Validate array index before access',
|
|
162
|
+
example: `// Check bounds before access
|
|
163
|
+
if (index >= 0 && index < array.length) {
|
|
164
|
+
const value = array[index];
|
|
165
|
+
}
|
|
166
|
+
|
|
167
|
+
// Use optional chaining for safety
|
|
168
|
+
const value = array[index] ?? defaultValue;
|
|
169
|
+
|
|
170
|
+
// Use Array.at with null check
|
|
171
|
+
const item = array.at(index);
|
|
172
|
+
if (item !== undefined) { }`,
|
|
173
|
+
},
|
|
174
|
+
});
|
|
175
|
+
}
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
}
|
|
179
|
+
/**
|
|
180
|
+
* Check for string read patterns
|
|
181
|
+
*/
|
|
182
|
+
function checkStringReadPatterns(context, sourceCode, findings) {
|
|
183
|
+
const lines = sourceCode.split('\n');
|
|
184
|
+
const stringPatterns = [
|
|
185
|
+
{
|
|
186
|
+
pattern: /\.charAt\s*\(\s*(?:\w+|[^)]+)\s*\)/gi,
|
|
187
|
+
type: 'charAt with dynamic index',
|
|
188
|
+
message: 'charAt returns empty string for invalid index',
|
|
189
|
+
severity: 'info',
|
|
190
|
+
},
|
|
191
|
+
{
|
|
192
|
+
pattern: /\.charCodeAt\s*\(\s*(?:\w+|[^)]+)\s*\)/gi,
|
|
193
|
+
type: 'charCodeAt with dynamic index',
|
|
194
|
+
message: 'charCodeAt returns NaN for invalid index',
|
|
195
|
+
severity: 'low',
|
|
196
|
+
},
|
|
197
|
+
{
|
|
198
|
+
pattern: /\.substring\s*\(\s*\w+\s*,\s*\w+\s*\)/gi,
|
|
199
|
+
type: 'substring with dynamic bounds',
|
|
200
|
+
message: 'Ensure substring bounds are validated',
|
|
201
|
+
severity: 'info',
|
|
202
|
+
},
|
|
203
|
+
{
|
|
204
|
+
pattern: /\.codePointAt\s*\(\s*\w+\s*\)/gi,
|
|
205
|
+
type: 'codePointAt with dynamic index',
|
|
206
|
+
message: 'codePointAt returns undefined for invalid index',
|
|
207
|
+
severity: 'info',
|
|
208
|
+
},
|
|
209
|
+
];
|
|
210
|
+
for (let lineNum = 0; lineNum < lines.length; lineNum++) {
|
|
211
|
+
const line = lines[lineNum];
|
|
212
|
+
for (const { pattern, type, message, severity } of stringPatterns) {
|
|
213
|
+
pattern.lastIndex = 0;
|
|
214
|
+
if (pattern.test(line)) {
|
|
215
|
+
findings.push({
|
|
216
|
+
id: `cwe-125-string-${findings.length + 1}`,
|
|
217
|
+
ruleId: 'cwe-125-oob-read',
|
|
218
|
+
severity,
|
|
219
|
+
message: `Out-of-bounds Read - ${type}: ${message}`,
|
|
220
|
+
location: {
|
|
221
|
+
file: context.filePath,
|
|
222
|
+
startLine: lineNum + 1,
|
|
223
|
+
endLine: lineNum + 1,
|
|
224
|
+
startColumn: 0,
|
|
225
|
+
endColumn: line.length,
|
|
226
|
+
},
|
|
227
|
+
cwe: ['125'],
|
|
228
|
+
suggestion: {
|
|
229
|
+
description: 'Check string length before character access',
|
|
230
|
+
example: `// Check length before access
|
|
231
|
+
if (index < str.length) {
|
|
232
|
+
const char = str.charAt(index);
|
|
233
|
+
}
|
|
234
|
+
|
|
235
|
+
// Handle edge cases
|
|
236
|
+
const code = str.charCodeAt(index);
|
|
237
|
+
if (!Number.isNaN(code)) {
|
|
238
|
+
// valid code point
|
|
239
|
+
}`,
|
|
240
|
+
},
|
|
241
|
+
});
|
|
242
|
+
}
|
|
243
|
+
}
|
|
244
|
+
}
|
|
245
|
+
}
|
|
246
|
+
export default cwe125OutOfBoundsRead;
|
|
247
|
+
//# sourceMappingURL=cwe-125-oob-read.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-125-oob-read.js","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-125-oob-read.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH;;GAEG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAiB;IACjD,EAAE,EAAE,kBAAkB;IACtB,IAAI,EAAE,6BAA6B;IACnC,WAAW,EACT,sDAAsD;IACxD,eAAe,EAAE,QAAQ;IACzB,QAAQ,EAAE,eAAe;IACzB,IAAI,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,CAAC;IACtD,GAAG,EAAE,CAAC,KAAK,CAAC;IACZ,UAAU,EAAE;QACV;YACE,KAAK,EAAE,6BAA6B;YACpC,GAAG,EAAE,iDAAiD;SACvD;KACF;IAED,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;QAEtC,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACvD,sBAAsB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QACtD,uBAAuB,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;QAEvD,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,uBAAuB,CAC9B,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,cAAc,GAAG;QACrB;YACE,OAAO,EAAE,qEAAqE;YAC9E,IAAI,EAAE,uCAAuC;YAC7C,OAAO,EAAE,uDAAuD;YAChE,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,4CAA4C;YACrD,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,0DAA0D;YACnE,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,qDAAqD;YAC9D,IAAI,EAAE,wCAAwC;YAC9C,OAAO,EAAE,kDAAkD;YAC3D,QAAQ,EAAE,KAAc;SACzB;QACD;YACE,OAAO,EAAE,iDAAiD;YAC1D,IAAI,EAAE,8BAA8B;YACpC,OAAO,EAAE,gDAAgD;YACzD,QAAQ,EAAE,KAAc;SACzB;QACD;YACE,OAAO,EAAE,4DAA4D;YACrE,IAAI,EAAE,oCAAoC;YAC1C,OAAO,EAAE,qDAAqD;YAC9D,QAAQ,EAAE,KAAc;SACzB;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,cAAc,EAAE,CAAC;YAClE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,kBAAkB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC3C,MAAM,EAAE,kBAAkB;oBAC1B,QAAQ;oBACR,OAAO,EAAE,wBAAwB,IAAI,KAAK,OAAO,EAAE;oBACnD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,KAAK,CAAC;oBACZ,UAAU,EAAE;wBACV,WAAW,EAAE,+CAA+C;wBAC5D,OAAO,EAAE;;;;;;;4CAOuB;qBACjC;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC7B,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,aAAa,GAAG;QACpB;YACE,OAAO,EAAE,kDAAkD;YAC3D,IAAI,EAAE,yCAAyC;YAC/C,OAAO,EAAE,0DAA0D;YACnE,QAAQ,EAAE,QAAiB;SAC5B;QACD;YACE,OAAO,EAAE,2BAA2B;YACpC,IAAI,EAAE,+BAA+B;YACrC,OAAO,EAAE,sDAAsD;YAC/D,QAAQ,EAAE,KAAc;SACzB;QACD;YACE,OAAO,EAAE,0BAA0B;YACnC,IAAI,EAAE,gBAAgB;YACtB,OAAO,EAAE,+DAA+D;YACxE,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,2CAA2C;YACpD,IAAI,EAAE,0BAA0B;YAChC,OAAO,EAAE,qCAAqC;YAC9C,QAAQ,EAAE,QAAiB;SAC5B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,aAAa,EAAE,CAAC;YACjE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,iBAAiB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC1C,MAAM,EAAE,kBAAkB;oBAC1B,QAAQ;oBACR,OAAO,EAAE,wBAAwB,IAAI,KAAK,OAAO,EAAE;oBACnD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,KAAK,CAAC;oBACZ,UAAU,EAAE;wBACV,WAAW,EAAE,oCAAoC;wBACjD,OAAO,EAAE;;;;;;;;;;4BAUO;qBACjB;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAC9B,OAAoB,EACpB,UAAkB,EAClB,QAAuB;IAEvB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,cAAc,GAAG;QACrB;YACE,OAAO,EAAE,sCAAsC;YAC/C,IAAI,EAAE,2BAA2B;YACjC,OAAO,EAAE,+CAA+C;YACxD,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,0CAA0C;YACnD,IAAI,EAAE,+BAA+B;YACrC,OAAO,EAAE,0CAA0C;YACnD,QAAQ,EAAE,KAAc;SACzB;QACD;YACE,OAAO,EAAE,yCAAyC;YAClD,IAAI,EAAE,+BAA+B;YACrC,OAAO,EAAE,uCAAuC;YAChD,QAAQ,EAAE,MAAe;SAC1B;QACD;YACE,OAAO,EAAE,iCAAiC;YAC1C,IAAI,EAAE,gCAAgC;YACtC,OAAO,EAAE,iDAAiD;YAC1D,QAAQ,EAAE,MAAe;SAC1B;KACF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,cAAc,EAAE,CAAC;YAClE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,kBAAkB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC3C,MAAM,EAAE,kBAAkB;oBAC1B,QAAQ;oBACR,OAAO,EAAE,wBAAwB,IAAI,KAAK,OAAO,EAAE;oBACnD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,KAAK,CAAC;oBACZ,UAAU,EAAE;wBACV,WAAW,EAAE,6CAA6C;wBAC1D,OAAO,EAAE;;;;;;;;;EASnB;qBACS;iBACF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,eAAe,qBAAqB,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-190: Integer Overflow or Wraparound
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-190-integer-overflow
|
|
4
|
+
* @trace TSK-RULE-006
|
|
5
|
+
*/
|
|
6
|
+
import type { SecurityRule } from '../types.js';
|
|
7
|
+
export declare const cwe190IntegerOverflow: SecurityRule;
|
|
8
|
+
export default cwe190IntegerOverflow;
|
|
9
|
+
//# sourceMappingURL=cwe-190-integer-overflow.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"cwe-190-integer-overflow.d.ts","sourceRoot":"","sources":["../../../src/rules/cwe/cwe-190-integer-overflow.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA4B,MAAM,aAAa,CAAC;AAE1E,eAAO,MAAM,qBAAqB,EAAE,YAkDnC,CAAC;AAEF,eAAe,qBAAqB,CAAC"}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview CWE-190: Integer Overflow or Wraparound
|
|
3
|
+
* @module @nahisaho/musubix-security/rules/cwe/cwe-190-integer-overflow
|
|
4
|
+
* @trace TSK-RULE-006
|
|
5
|
+
*/
|
|
6
|
+
export const cwe190IntegerOverflow = {
|
|
7
|
+
id: 'cwe-190-integer-overflow',
|
|
8
|
+
name: 'CWE-190: Integer Overflow or Wraparound',
|
|
9
|
+
description: 'Detects potential integer overflow vulnerabilities',
|
|
10
|
+
defaultSeverity: 'high',
|
|
11
|
+
category: 'numeric',
|
|
12
|
+
tags: ['cwe', 'integer', 'overflow', 'security'],
|
|
13
|
+
cwe: ['190'],
|
|
14
|
+
references: [
|
|
15
|
+
{ title: 'CWE-190', url: 'https://cwe.mitre.org/data/definitions/190.html' },
|
|
16
|
+
],
|
|
17
|
+
async analyze(context) {
|
|
18
|
+
const findings = [];
|
|
19
|
+
const lines = context.sourceCode.split('\n');
|
|
20
|
+
const patterns = [
|
|
21
|
+
{ pattern: /\w+\s*\+\s*\w+\s*>\s*Number\.MAX_SAFE_INTEGER/gi, type: 'Unchecked addition overflow', severity: 'high' },
|
|
22
|
+
{ pattern: /parseInt\s*\([^)]+\)\s*\*\s*\d+/gi, type: 'Parsed int multiplication', severity: 'medium' },
|
|
23
|
+
{ pattern: /\w+\s*\*\s*\w+\s*(?!.*(?:BigInt|overflow|check))/gi, type: 'Unchecked multiplication', severity: 'low' },
|
|
24
|
+
{ pattern: /Math\.pow\s*\([^)]+\)/gi, type: 'Power operation without bounds', severity: 'medium' },
|
|
25
|
+
{ pattern: /<<\s*\d{2,}/gi, type: 'Large bit shift', severity: 'high' },
|
|
26
|
+
{ pattern: /new\s+(?:Int8|Int16|Int32|Uint8|Uint16|Uint32)Array/gi, type: 'TypedArray boundary', severity: 'low' },
|
|
27
|
+
];
|
|
28
|
+
for (let i = 0; i < lines.length; i++) {
|
|
29
|
+
for (const { pattern, type, severity } of patterns) {
|
|
30
|
+
pattern.lastIndex = 0;
|
|
31
|
+
if (pattern.test(lines[i])) {
|
|
32
|
+
findings.push({
|
|
33
|
+
id: `cwe-190-${findings.length + 1}`,
|
|
34
|
+
ruleId: 'cwe-190-integer-overflow',
|
|
35
|
+
severity,
|
|
36
|
+
message: `Integer Overflow - ${type}: Validate numeric bounds`,
|
|
37
|
+
location: { file: context.filePath, startLine: i + 1, endLine: i + 1 },
|
|
38
|
+
cwe: ['190'],
|
|
39
|
+
suggestion: {
|
|
40
|
+
description: 'Use BigInt or bounds checking',
|
|
41
|
+
example: `// Use BigInt for large numbers
|
|
42
|
+
const result = BigInt(a) * BigInt(b);
|
|
43
|
+
|
|
44
|
+
// Or check bounds
|
|
45
|
+
if (a > Number.MAX_SAFE_INTEGER - b) throw new Error('Overflow');`,
|
|
46
|
+
},
|
|
47
|
+
});
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
return findings;
|
|
52
|
+
},
|
|
53
|
+
};
|
|
54
|
+
export default cwe190IntegerOverflow;
|
|
55
|
+
//# sourceMappingURL=cwe-190-integer-overflow.js.map
|