@nahisaho/musubix-security 2.0.1 → 2.1.0

package/dist/analysis/sources/user-input.js

@@ -0,0 +1,261 @@
+/**
+ * @fileoverview User input source definitions
+ * @module @nahisaho/musubix-security/analysis/sources/user-input
+ * @trace REQ-SEC-001
+ */
+/**
+ * User input sources - form data, query params, request body
+ * @trace REQ-SEC-001
+ */
+export const USER_INPUT_SOURCES = [
+    // Express.js sources
+    {
+        id: 'SRC-UI-001',
+        name: 'Express Request Body',
+        category: 'user-input',
+        framework: 'express',
+        patterns: [
+            { receiver: 'req', property: 'body', taintedReturn: true },
+            { receiver: 'request', property: 'body', taintedReturn: true },
+        ],
+        description: 'HTTP request body (POST/PUT data)',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['express', 'http', 'body'],
+        relatedCWE: ['CWE-20', 'CWE-79', 'CWE-89'],
+    },
+    {
+        id: 'SRC-UI-002',
+        name: 'Express Query Parameters',
+        category: 'user-input',
+        framework: 'express',
+        patterns: [
+            { receiver: 'req', property: 'query', taintedReturn: true },
+            { receiver: 'request', property: 'query', taintedReturn: true },
+        ],
+        description: 'URL query parameters',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['express', 'http', 'query'],
+        relatedCWE: ['CWE-20', 'CWE-79', 'CWE-89'],
+    },
+    {
+        id: 'SRC-UI-003',
+        name: 'Express URL Parameters',
+        category: 'user-input',
+        framework: 'express',
+        patterns: [
+            { receiver: 'req', property: 'params', taintedReturn: true },
+            { receiver: 'request', property: 'params', taintedReturn: true },
+        ],
+        description: 'URL path parameters (e.g., /users/:id)',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['express', 'http', 'params'],
+        relatedCWE: ['CWE-20', 'CWE-89', 'CWE-22'],
+    },
+    {
+        id: 'SRC-UI-004',
+        name: 'Express Headers',
+        category: 'user-input',
+        framework: 'express',
+        patterns: [
+            { receiver: 'req', property: 'headers', taintedReturn: true },
+            { receiver: 'req', method: 'get', taintedReturn: true },
+            { receiver: 'req', method: 'header', taintedReturn: true },
+        ],
+        description: 'HTTP request headers',
+        confidence: 0.9,
+        enabled: true,
+        tags: ['express', 'http', 'headers'],
+        relatedCWE: ['CWE-20', 'CWE-113'],
+    },
+    {
+        id: 'SRC-UI-005',
+        name: 'Express Cookies',
+        category: 'user-input',
+        framework: 'express',
+        patterns: [
+            { receiver: 'req', property: 'cookies', taintedReturn: true },
+            { receiver: 'req', property: 'signedCookies', taintedReturn: true },
+        ],
+        description: 'HTTP cookies',
+        confidence: 0.9,
+        enabled: true,
+        tags: ['express', 'http', 'cookies'],
+        relatedCWE: ['CWE-20', 'CWE-79'],
+    },
+    // Koa.js sources
+    {
+        id: 'SRC-UI-010',
+        name: 'Koa Request Body',
+        category: 'user-input',
+        framework: 'koa',
+        patterns: [
+            { receiver: 'ctx', property: ['request', 'body'], taintedReturn: true },
+            { receiver: 'ctx', property: 'body', taintedReturn: true },
+        ],
+        description: 'Koa request body',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['koa', 'http', 'body'],
+        relatedCWE: ['CWE-20', 'CWE-79', 'CWE-89'],
+    },
+    {
+        id: 'SRC-UI-011',
+        name: 'Koa Query Parameters',
+        category: 'user-input',
+        framework: 'koa',
+        patterns: [
+            { receiver: 'ctx', property: 'query', taintedReturn: true },
+            { receiver: 'ctx', property: ['request', 'query'], taintedReturn: true },
+        ],
+        description: 'Koa query parameters',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['koa', 'http', 'query'],
+        relatedCWE: ['CWE-20', 'CWE-79', 'CWE-89'],
+    },
+    {
+        id: 'SRC-UI-012',
+        name: 'Koa URL Parameters',
+        category: 'user-input',
+        framework: 'koa',
+        patterns: [
+            { receiver: 'ctx', property: 'params', taintedReturn: true },
+        ],
+        description: 'Koa URL path parameters',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['koa', 'http', 'params'],
+        relatedCWE: ['CWE-20', 'CWE-89', 'CWE-22'],
+    },
+    // Fastify sources
+    {
+        id: 'SRC-UI-020',
+        name: 'Fastify Request Body',
+        category: 'user-input',
+        framework: 'fastify',
+        patterns: [
+            { receiver: 'request', property: 'body', taintedReturn: true },
+            { receiver: 'req', property: 'body', taintedReturn: true },
+        ],
+        description: 'Fastify request body',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['fastify', 'http', 'body'],
+        relatedCWE: ['CWE-20', 'CWE-79', 'CWE-89'],
+    },
+    {
+        id: 'SRC-UI-021',
+        name: 'Fastify Query Parameters',
+        category: 'user-input',
+        framework: 'fastify',
+        patterns: [
+            { receiver: 'request', property: 'query', taintedReturn: true },
+        ],
+        description: 'Fastify query parameters',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['fastify', 'http', 'query'],
+        relatedCWE: ['CWE-20', 'CWE-79', 'CWE-89'],
+    },
+    // Next.js sources
+    {
+        id: 'SRC-UI-030',
+        name: 'Next.js API Request Body',
+        category: 'user-input',
+        framework: 'next',
+        patterns: [
+            { receiver: 'req', property: 'body', taintedReturn: true },
+        ],
+        description: 'Next.js API route request body',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['next', 'http', 'body'],
+        relatedCWE: ['CWE-20', 'CWE-79', 'CWE-89'],
+    },
+    {
+        id: 'SRC-UI-031',
+        name: 'Next.js Query Parameters',
+        category: 'user-input',
+        framework: 'next',
+        patterns: [
+            { receiver: 'req', property: 'query', taintedReturn: true },
+        ],
+        description: 'Next.js API route query parameters',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['next', 'http', 'query'],
+        relatedCWE: ['CWE-20', 'CWE-79', 'CWE-89'],
+    },
+    // Browser sources
+    {
+        id: 'SRC-UI-040',
+        name: 'DOM Input Value',
+        category: 'user-input',
+        framework: 'browser',
+        patterns: [
+            { method: 'getElementById', taintedReturn: true },
+            { method: 'querySelector', taintedReturn: true },
+            { method: 'querySelectorAll', taintedReturn: true },
+            { method: 'getElementsByName', taintedReturn: true },
+            { method: 'getElementsByClassName', taintedReturn: true },
+        ],
+        description: 'DOM element values (potentially user-controlled)',
+        confidence: 0.85,
+        enabled: true,
+        tags: ['browser', 'dom', 'input'],
+        relatedCWE: ['CWE-79', 'CWE-20'],
+    },
+    {
+        id: 'SRC-UI-041',
+        name: 'URL Location',
+        category: 'user-input',
+        framework: 'browser',
+        patterns: [
+            { receiver: 'location', property: 'search', taintedReturn: true },
+            { receiver: 'location', property: 'hash', taintedReturn: true },
+            { receiver: 'location', property: 'href', taintedReturn: true },
+            { receiver: 'window', property: ['location', 'search'], taintedReturn: true },
+        ],
+        description: 'Browser URL parameters',
+        confidence: 0.9,
+        enabled: true,
+        tags: ['browser', 'url'],
+        relatedCWE: ['CWE-79', 'CWE-601'],
+    },
+    {
+        id: 'SRC-UI-042',
+        name: 'User Prompt',
+        category: 'user-input',
+        framework: 'browser',
+        patterns: [
+            { method: 'prompt', taintedReturn: true },
+        ],
+        description: 'User input from prompt dialog',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['browser', 'prompt'],
+        relatedCWE: ['CWE-79', 'CWE-20'],
+    },
+    // FormData
+    {
+        id: 'SRC-UI-050',
+        name: 'FormData',
+        category: 'user-input',
+        framework: 'browser',
+        patterns: [
+            { receiver: 'FormData', method: 'get', taintedReturn: true },
+            { receiver: 'FormData', method: 'getAll', taintedReturn: true },
+            { receiver: 'formData', method: 'get', taintedReturn: true },
+            { receiver: 'formData', method: 'getAll', taintedReturn: true },
+        ],
+        description: 'Form data values',
+        confidence: 0.95,
+        enabled: true,
+        tags: ['browser', 'form'],
+        relatedCWE: ['CWE-20', 'CWE-79'],
+    },
+];
+//# sourceMappingURL=user-input.js.map

package/dist/analysis/sources/user-input.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-input.js","sourceRoot":"","sources":["../../../src/analysis/sources/user-input.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;GAGG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAgC;IAC7D,qBAAqB;IACrB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,SAAS;QACpB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE;YAC1D,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE;SAC/D;QACD,WAAW,EAAE,mCAAmC;QAChD,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC;QACjC,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,SAAS;QACpB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE;YAC3D,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE;SAChE;QACD,WAAW,EAAE,sBAAsB;QACnC,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC;QAClC,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,SAAS;QACpB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE;YAC5D,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE;SACjE;QACD,WAAW,EAAE,wCAAwC;QACrD,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC;QACnC,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,SAAS;QACpB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,IAAI,EAAE;YAC7D,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE;YACvD,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE;SAC3D;QACD,WAAW,EAAE,sBAAsB;QACnC,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC;QACpC,UAAU,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC;KAClC;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,SAAS;QACpB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,aAAa,EAAE,IAAI,EAAE;YAC7D,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,eAAe,EAAE,aAAa,EAAE,IAAI,EAAE;SACpE;QACD,WAAW,EAAE,cAAc;QAC3B,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC;QACpC,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;KACjC;IAED,iBAAiB;IACjB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE;YACvE,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE;SAC3D;QACD,WAAW,EAAE,kBAAkB;QAC/B,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;QAC7B,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE;YAC3D,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE;SACzE;QACD,WAAW,EAAE,sBAAsB;QACnC,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC;QAC9B,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,KAAK;QAChB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE;SAC7D;QACD,WAAW,EAAE,yBAAyB;QACtC,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC;QAC/B,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAC3C;IAED,kBAAkB;IAClB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,SAAS;QACpB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE;YAC9D,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE;SAC3D;QACD,WAAW,EAAE,sBAAsB;QACnC,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC;QACjC,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,SAAS;QACpB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE;SAChE;QACD,WAAW,EAAE,0BAA0B;QACvC,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC;QAClC,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAC3C;IAED,kBAAkB;IAClB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,MAAM;QACjB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE;SAC3D;QACD,WAAW,EAAE,gCAAgC;QAC7C,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;QAC9B,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,MAAM;QACjB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE;SAC5D;QACD,WAAW,EAAE,oCAAoC;QACjD,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC;QAC/B,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;KAC3C;IAED,kBAAkB;IAClB;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,SAAS;QACpB,QAAQ,EAAE;YACR,EAAE,MAAM,EAAE,gBAAgB,EAAE,aAAa,EAAE,IAAI,EAAE;YACjD,EAAE,MAAM,EAAE,eAAe,EAAE,aAAa,EAAE,IAAI,EAAE;YAChD,EAAE,MAAM,EAAE,kBAAkB,EAAE,aAAa,EAAE,IAAI,EAAE;YACnD,EAAE,MAAM,EAAE,mBAAmB,EAAE,aAAa,EAAE,IAAI,EAAE;YACpD,EAAE,MAAM,EAAE,wBAAwB,EAAE,aAAa,EAAE,IAAI,EAAE;SAC1D;QACD,WAAW,EAAE,kDAAkD;QAC/D,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,OAAO,CAAC;QACjC,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;KACjC;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,cAAc;QACpB,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,SAAS;QACpB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE;YACjE,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE;YAC/D,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE;YAC/D,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,UAAU,EAAE,QAAQ,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE;SAC9E;QACD,WAAW,EAAE,wBAAwB;QACrC,UAAU,EAAE,GAAG;QACf,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,SAAS,EAAE,KAAK,CAAC;QACxB,UAAU,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC;KAClC;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,aAAa;QACnB,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,SAAS;QACpB,QAAQ,EAAE;YACR,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE;SAC1C;QACD,WAAW,EAAE,+BAA+B;QAC5C,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC;QAC3B,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;KACjC;IAED,WAAW;IACX;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,YAAY;QACtB,SAAS,EAAE,SAAS;QACpB,QAAQ,EAAE;YACR,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE;YAC5D,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE;YAC/D,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE;YAC5D,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE;SAChE;QACD,WAAW,EAAE,kBAAkB;QAC/B,UAAU,EAAE,IAAI;QAChB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;QACzB,UAAU,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;KACjC;CACO,CAAC"}

package/dist/cve/cpe-matcher.d.ts

@@ -0,0 +1,183 @@
+/**
+ * @fileoverview CPE (Common Platform Enumeration) Matching Engine
+ * @module @nahisaho/musubix-security/cve/cpe-matcher
+ *
+ * Provides npm package name to CPE conversion and semver-based
+ * vulnerability matching.
+ *
+ * @requirement REQ-CVE-003 - CPE matching for vulnerability lookup
+ * @design DES-EPIC2-004 - CPE Matcher component
+ */
+/**
+ * CPE 2.3 URI components
+ * @see https://nvd.nist.gov/products/cpe
+ */
+export interface CPEComponents {
+    /** CPE part: 'a' = application, 'o' = OS, 'h' = hardware */
+    part: 'a' | 'o' | 'h';
+    /** Vendor/publisher name */
+    vendor: string;
+    /** Product name */
+    product: string;
+    /** Version string */
+    version: string;
+    /** Update/patch level */
+    update?: string;
+    /** Edition */
+    edition?: string;
+    /** Language */
+    language?: string;
+    /** Software edition */
+    swEdition?: string;
+    /** Target software */
+    targetSw?: string;
+    /** Target hardware */
+    targetHw?: string;
+    /** Other attributes */
+    other?: string;
+}
+/**
+ * Version range for vulnerability matching
+ */
+export interface VersionRange {
+    /** Starting version (inclusive unless startExcluding is set) */
+    versionStart?: string;
+    /** Ending version (inclusive unless endExcluding is set) */
+    versionEnd?: string;
+    /** Start version is exclusive */
+    versionStartExcluding?: boolean;
+    /** End version is exclusive */
+    versionEndExcluding?: boolean;
+}
+/**
+ * CPE match criteria from NVD
+ */
+export interface CPEMatch {
+    /** CPE 2.3 URI */
+    criteria: string;
+    /** Whether this criteria makes the configuration vulnerable */
+    vulnerable: boolean;
+    /** Match criteria ID */
+    matchCriteriaId: string;
+    /** Version range */
+    versionRange?: VersionRange;
+}
+/**
+ * Vulnerability match result
+ */
+export interface VulnerabilityMatch {
+    /** Package name */
+    packageName: string;
+    /** Package version */
+    packageVersion: string;
+    /** CVE ID */
+    cveId: string;
+    /** Generated CPE URI */
+    cpe: string;
+    /** Match criteria that matched */
+    matchCriteria?: CPEMatch;
+    /** Whether version is in vulnerable range */
+    isVulnerable: boolean;
+    /** Match confidence (0-1) */
+    confidence: number;
+}
+/**
+ * CPE Matcher for npm packages
+ *
+ * @example
+ * ```typescript
+ * const matcher = new CPEMatcher();
+ *
+ * // Generate CPE from package
+ * const cpe = matcher.generateCPE('express', '4.18.2');
+ * // => 'cpe:2.3:a:expressjs:express:4.18.2:*:*:*:*:node.js:*:*'
+ *
+ * // Check if version is vulnerable
+ * const isVuln = matcher.isVersionVulnerable('4.18.2', {
+ *   versionStart: '4.0.0',
+ *   versionEnd: '4.19.0',
+ *   versionEndExcluding: true
+ * });
+ * ```
+ */
+export declare class CPEMatcher {
+    private vendorMappings;
+    constructor(customMappings?: Record<string, string>);
+    /**
+     * Generate CPE 2.3 URI for an npm package
+     * @param packageName - npm package name
+     * @param version - Package version
+     * @returns CPE 2.3 formatted URI
+     */
+    generateCPE(packageName: string, version: string): string;
+    /**
+     * Convert npm package info to CPE components
+     */
+    packageToCPEComponents(packageName: string, version: string): CPEComponents;
+    /**
+     * Convert CPE components to URI string
+     */
+    componentsToURI(components: CPEComponents): string;
+    /**
+     * Parse CPE 2.3 URI to components
+     */
+    parseURI(cpeUri: string): CPEComponents | null;
+    /**
+     * Check if a version falls within a vulnerable range
+     * @param version - Version to check
+     * @param range - Version range from CVE data
+     * @returns True if version is within vulnerable range
+     */
+    isVersionVulnerable(version: string, range: VersionRange): boolean;
+    /**
+     * Match a package against CPE criteria
+     */
+    matchPackage(packageName: string, packageVersion: string, cpeMatch: CPEMatch): VulnerabilityMatch | null;
+    /**
+     * Add a custom vendor mapping
+     */
+    addVendorMapping(packageName: string, vendor: string): void;
+    /**
+     * Get the vendor for a package
+     */
+    getVendor(packageName: string): string;
+    /**
+     * Normalize package name for CPE
+     */
+    private normalizeName;
+    /**
+     * Normalize version string
+     */
+    private normalizeVersion;
+    /**
+     * Resolve vendor for a package
+     */
+    private resolveVendor;
+    /**
+     * Get possible vendor names for a package
+     */
+    private getPossibleVendors;
+    /**
+     * Compare two semver versions
+     * @returns -1 if a < b, 0 if a == b, 1 if a > b
+     */
+    compareVersions(a: string, b: string): number;
+    /**
+     * Escape special characters in CPE component
+     */
+    private escapeComponent;
+    /**
+     * Unescape CPE component value
+     */
+    private unescapeComponent;
+}
+/**
+ * Create a CPE search query from package info
+ * Generates wildcarded CPE for searching NVD
+ */
+export declare function createCPESearchQuery(packageName: string, vendor?: string): string;
+/**
+ * Extract package name from CPE URI
+ */
+export declare function extractPackageFromCPE(cpeUri: string): string | null;
+//# sourceMappingURL=cpe-matcher.d.ts.map

package/dist/cve/cpe-matcher.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cpe-matcher.d.ts","sourceRoot":"","sources":["../../src/cve/cpe-matcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B,4DAA4D;IAC5D,IAAI,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;IACtB,4BAA4B;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,mBAAmB;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,qBAAqB;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,yBAAyB;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,cAAc;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,eAAe;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,sBAAsB;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sBAAsB;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,gEAAgE;IAChE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,+BAA+B;IAC/B,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,kBAAkB;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,+DAA+D;IAC/D,UAAU,EAAE,OAAO,CAAC;IACpB,wBAAwB;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,oBAAoB;IACpB,YAAY,CAAC,EAAE,YAAY,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,sBAAsB;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa;IACb,KAAK,EAAE,MAAM,CAAC;IACd,wBAAwB;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,kCAAkC;IAClC,aAAa,CAAC,EAAE,QAAQ,CAAC;IACzB,6CAA6C;IAC7C,YAAY,EAAE,OAAO,CAAC;IACtB,6BAA6B;IAC7B,UAAU,EAAE,MAAM,CAAC;CACpB;AA4ED;;;;;;;;;;;;;;;;;;GAkBG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,cAAc,CAAsB;gBAEhC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAOnD;;;;;OAKG;IACH,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM;IAKzD;;OAEG;IACH,sBAAsB,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,aAAa;IAa3E;;OAEG;IACH,eAAe,CAAC,UAAU,EAAE,aAAa,GAAG,MAAM;IAmBlD;;OAEG;IACH,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI;IAwB9C;;;;;OAKG;IACH,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,GAAG,OAAO;IAkClE;;OAEG;IACH,YAAY,CACV,WAAW,EAAE,MAAM,EACnB,cAAc,EAAE,MAAM,EACtB,QAAQ,EAAE,QAAQ,GACjB,kBAAkB,GAAG,IAAI;IA8D5B;;OAEG;IACH,gBAAgB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI;IAI3D;;OAEG;IACH,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM;IAItC;;OAEG;IACH,OAAO,CAAC,aAAa;IAYrB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAQxB;;OAEG;IACH,OAAO,CAAC,aAAa;IAwBrB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAqB1B;;;OAGG;IACH,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM;IAiB7C;;OAEG;IACH,OAAO,CAAC,eAAe;IAUvB;;OAEG;IACH,OAAO,CAAC,iBAAiB;CAS1B;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,WAAW,EAAE,MAAM,EACnB,MAAM,CAAC,EAAE,MAAM,GACd,MAAM,CASR;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAInE"}