@nahisaho/musubix-security 2.0.1 → 2.1.1

package/dist/rules/owasp/a06-vulnerable-components.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"a06-vulnerable-components.js","sourceRoot":"","sources":["../../../src/rules/owasp/a06-vulnerable-components.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,4BAA4B,GAAiB;IACxD,EAAE,EAAE,iCAAiC;IACrC,IAAI,EAAE,qDAAqD;IAC3D,WAAW,EAAE,+EAA+E;IAC5F,eAAe,EAAE,MAAM;IACvB,QAAQ,EAAE,YAAY;IACtB,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,GAAG,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC;IAC5B,UAAU,EAAE;QACV;YACE,KAAK,EAAE,gBAAgB;YACvB,GAAG,EAAE,sEAAsE;SAC5E;QACD;YACE,KAAK,EAAE,sDAAsD;YAC7D,GAAG,EAAE,kDAAkD;SACxD;KACiB;IAEpB,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QAEnC,gCAAgC;QAChC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE3C,6CAA6C;QAC7C,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YAC9C,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACtC,CAAC;QAED,0CAA0C;QAC1C,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAEnC,+BAA+B;QAC/B,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAEpC,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC1B,mBAAmB;IACnB,EAAE,OAAO,EAAE,gGAAgG,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,mCAAmC,EAAE;IACxK,iBAAiB;IACjB,EAAE,OAAO,EAAE,0DAA0D,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,oCAAoC,EAAE;IACnI,iBAAiB;IACjB,EAAE,OAAO,EAAE,sDAAsD,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,oBAAoB,EAAE;IAC9G,mBAAmB;IACnB,EAAE,OAAO,EAAE,6DAA6D,EAAE,GAAG,EAAE,UAAU,EAAE,KAAK,EAAE,mCAAmC,EAAE;IACvI,+BAA+B;IAC/B,EAAE,OAAO,EAAE,yDAAyD,EAAE,GAAG,EAAE,sBAAsB,EAAE,KAAK,EAAE,mBAAmB,EAAE;IAC/H,qBAAqB;IACrB,EAAE,OAAO,EAAE,2CAA2C,EAAE,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,kDAAkD,EAAE;IACtI,wBAAwB;IACxB,EAAE,OAAO,EAAE,uBAAuB,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,iDAAiD,EAAE;IAC7G,uBAAuB;IACvB,EAAE,OAAO,EAAE,wBAAwB,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,4CAA4C,EAAE;IAC1G,sBAAsB;IACtB,EAAE,OAAO,EAAE,gDAAgD,EAAE,GAAG,EAAE,aAAa,EAAE,KAAK,EAAE,mCAAmC,EAAE;CAC9H,CAAC;AAEF;;GAEG;AACH,SAAS,uBAAuB,CAAC,OAAoB,EAAE,QAAuB;IAC5E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,gDAAgD;IAChD,MAAM,cAAc,GAAG;QACrB,0CAA0C;QAC1C,EAAE,OAAO,EAAE,uCAAuC,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,wCAAwC,EAAE;QACpH,EAAE,OAAO,EAAE,wCAAwC,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,oBAAoB,EAAE;QAClG,aAAa;QACb,EAAE,OAAO,EAAE,wCAAwC,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,wCAAwC,EAAE;QACrH,EAAE,OAAO,EAAE,yCAAyC,EAAE,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,oBAAoB,EAAE;QACnG,qCAAqC;QACrC,EAAE,OAAO,EAAE,4BAA4B,EAAE,GAAG,EAAE,qBAAqB,EAAE,KAAK,EAAE,iCAAiC,EAAE;KAChH,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,cAAc,EAAE,CAAC;YACrD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,oBAAoB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC7C,MAAM,EAAE,iCAAiC;oBACzC,QAAQ,EAAE,QAAQ;oBAClB,OAAO,EAAE,mDAAmD,GAAG,MAAM,KAAK,EAAE;oBAC5E,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,UAAU,EAAE;wBACV,WAAW,EAAE,yCAAyC;wBACtD,OAAO,EAAE,GAAG,KAAK,QAAQ;4BACvB,CAAC,CAAC,wEAAwE;4BAC1E,CAAC,CAAC,GAAG,KAAK,SAAS;gCACnB,CAAC,CAAC,0DAA0D;gCAC5D,CAAC,CAAC,2CAA2C;qBAChD;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,OAAoB,EAAE,QAAuB;IACrE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,mBAAmB,EAAE,CAAC;YAC1D,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,iBAAiB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC1C,MAAM,EAAE,iCAAiC;oBACzC,QAAQ,EAAE,MAAM;oBAChB,OAAO,EAAE,+BAA+B,GAAG,MAAM,KAAK,EAAE;oBACxD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,MAAM,CAAC;oBACb,UAAU,EAAE;wBACV,WAAW,EAAE,qCAAqC;wBAClD,OAAO,EAAE,sCAAsC,GAAG,EAAE;qBACrD;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,OAAoB,EAAE,QAAuB;IACpE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,0CAA0C;IAC1C,MAAM,cAAc,GAAG,8CAA8C,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC7F,IAAI,CAAC,cAAc;QAAE,OAAO;IAE5B,MAAM,WAAW,GAAG;QAClB,yCAAyC;QACzC,EAAE,OAAO,EAAE,uFAAuF,EAAE,IAAI,EAAE,QAAQ,EAAE;QACpH,uCAAuC;QACvC,EAAE,OAAO,EAAE,sFAAsF,EAAE,IAAI,EAAE,YAAY,EAAE;KACxH,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC;YAC5C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,0CAA0C;gBAC1C,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACjC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,iBAAiB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;wBAC1C,MAAM,EAAE,iCAAiC;wBACzC,QAAQ,EAAE,QAAQ;wBAClB,OAAO,EAAE,oDAAoD,IAAI,EAAE;wBACnE,QAAQ,EAAE;4BACR,IAAI,EAAE,OAAO,CAAC,QAAQ;4BACtB,SAAS,EAAE,OAAO,GAAG,CAAC;4BACtB,OAAO,EAAE,OAAO,GAAG,CAAC;4BACpB,WAAW,EAAE,CAAC;4BACd,SAAS,EAAE,IAAI,CAAC,MAAM;yBACvB;wBACD,GAAG,EAAE,CAAC,KAAK,CAAC;wBACZ,UAAU,EAAE;4BACV,WAAW,EAAE,0CAA0C;4BACvD,OAAO,EAAE;;oCAEa;yBACvB;qBACF,CAAC,CAAC;gBACL,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,OAAoB,EAAE,QAAuB;IACrE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,mBAAmB,GAAG;QAC1B,sBAAsB;QACtB,EAAE,OAAO,EAAE,+CAA+C,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,kBAAkB,EAAE;QACtG,yBAAyB;QACzB,EAAE,OAAO,EAAE,kDAAkD,EAAE,GAAG,EAAE,WAAW,EAAE,KAAK,EAAE,kBAAkB,EAAE;QAC5G,uBAAuB;QACvB,EAAE,OAAO,EAAE,kCAAkC,EAAE,GAAG,EAAE,WAAW,EAAE,KAAK,EAAE,gBAAgB,EAAE;QAC1F,gCAAgC;QAChC,EAAE,OAAO,EAAE,6CAA6C,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,EAAE;KAC7G,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,mBAAmB,EAAE,CAAC;YAC1D,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,iBAAiB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC1C,MAAM,EAAE,iCAAiC;oBACzC,QAAQ,EAAE,GAAG,KAAK,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;oBAC3C,OAAO,EAAE,eAAe,KAAK,KAAK,GAAG,EAAE;oBACvC,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,UAAU,EAAE;wBACV,WAAW,EAAE,GAAG,KAAK,KAAK;4BACxB,CAAC,CAAC,yCAAyC;4BAC3C,CAAC,CAAC,UAAU,GAAG,wBAAwB;qBAC1C;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,eAAe,4BAA4B,CAAC"}

package/dist/rules/owasp/a07-auth-failures.d.ts

@@ -0,0 +1,19 @@
+/**
+ * @fileoverview OWASP A07:2021 - Identification and Authentication Failures
+ * @module @nahisaho/musubix-security/rules/owasp/a07
+ * @trace REQ-SEC-OWASP-007
+ */
+import type { SecurityRule } from '../types.js';
+/**
+ * OWASP A07:2021 - Identification and Authentication Failures
+ *
+ * Detects:
+ * - Weak password requirements
+ * - Missing brute-force protection
+ * - Insecure session management
+ * - Credential exposure
+ * - Missing MFA considerations
+ */
+export declare const owaspA07AuthFailures: SecurityRule;
+export default owaspA07AuthFailures;
+//# sourceMappingURL=a07-auth-failures.d.ts.map

package/dist/rules/owasp/a07-auth-failures.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"a07-auth-failures.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp/a07-auth-failures.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA2C,MAAM,aAAa,CAAC;AAEzF;;;;;;;;;GASG;AACH,eAAO,MAAM,oBAAoB,EAAE,YA8BlC,CAAC;AAsRF,eAAe,oBAAoB,CAAC"}

package/dist/rules/owasp/a07-auth-failures.js

@@ -0,0 +1,300 @@
+/**
+ * @fileoverview OWASP A07:2021 - Identification and Authentication Failures
+ * @module @nahisaho/musubix-security/rules/owasp/a07
+ * @trace REQ-SEC-OWASP-007
+ */
+/**
+ * OWASP A07:2021 - Identification and Authentication Failures
+ *
+ * Detects:
+ * - Weak password requirements
+ * - Missing brute-force protection
+ * - Insecure session management
+ * - Credential exposure
+ * - Missing MFA considerations
+ */
+export const owaspA07AuthFailures = {
+    id: 'owasp-a07-auth-failures',
+    name: 'OWASP A07:2021 - Identification and Authentication Failures',
+    description: 'Detects weak authentication patterns and credential management issues',
+    defaultSeverity: 'critical',
+    category: 'authentication',
+    owasp: ['A07:2021'],
+    cwe: ['287', '288', '307', '384', '521', '613', '620', '640', '798'],
+    references: [
+        {
+            title: 'OWASP A07:2021',
+            url: 'https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/',
+        },
+        {
+            title: 'CWE-287: Improper Authentication',
+            url: 'https://cwe.mitre.org/data/definitions/287.html',
+        },
+    ],
+    async analyze(context) {
+        const findings = [];
+        checkWeakPasswordPolicy(context, findings);
+        checkInsecureSession(context, findings);
+        checkCredentialExposure(context, findings);
+        checkMissingBruteForceProtection(context, findings);
+        checkInsecureTokenHandling(context, findings);
+        return findings;
+    },
+};
+/**
+ * Check for weak password policies
+ */
+function checkWeakPasswordPolicy(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const weakPolicies = [
+        // Minimum length too short
+        { pattern: /(?:minLength|min_length|minimum.*length)\s*[:=]\s*([1-7])\b/i, issue: 'Password minimum length too short (should be >= 8)' },
+        // No complexity requirements
+        { pattern: /password.*required\s*[:=]\s*(?:false|0)/i, issue: 'Password validation disabled' },
+        // Only checking length
+        { pattern: /password\.length\s*>=?\s*[1-5]\b/i, issue: 'Weak password length check' },
+        // Plain text password comparison
+        { pattern: /password\s*===?\s*(?:req\.body\.|params\.|user\.)/i, issue: 'Plain text password comparison' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, issue } of weakPolicies) {
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a07-password-${findings.length + 1}`,
+                    ruleId: 'owasp-a07-auth-failures',
+                    severity: 'high',
+                    message: `Weak password policy: ${issue}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['521'],
+                    suggestion: {
+                        description: 'Enforce strong password policy',
+                        example: `// Use strong password validation:
+const passwordSchema = {
+  minLength: 12,
+  requireUppercase: true,
+  requireLowercase: true,
+  requireNumbers: true,
+  requireSpecialChars: true
+};`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for insecure session management
+ */
+function checkInsecureSession(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const sessionPatterns = [
+        // Insecure cookie settings
+        { pattern: /secure\s*:\s*false/i, issue: 'Insecure cookie (missing secure flag)' },
+        { pattern: /httpOnly\s*:\s*false/i, issue: 'Cookie vulnerable to XSS (httpOnly disabled)' },
+        { pattern: /sameSite\s*:\s*['"`]none['"`]/i, issue: 'SameSite=None without proper security' },
+        // Long session expiry
+        { pattern: /(?:maxAge|expires)\s*[:=]\s*(?:31536000000|365\s*\*\s*24)/i, issue: 'Excessively long session duration (1 year)' },
+        // Session fixation risk
+        { pattern: /req\.session\s*=\s*req\.(?:body|query|params)/i, issue: 'Potential session fixation vulnerability' },
+        // No session regeneration after login
+        { pattern: /(?:login|authenticate).*\{[^}]*(?!regenerate|destroy)/i, issue: 'Missing session regeneration after authentication' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, issue } of sessionPatterns) {
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a07-session-${findings.length + 1}`,
+                    ruleId: 'owasp-a07-auth-failures',
+                    severity: 'high',
+                    message: `Insecure session management: ${issue}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['384', '613'],
+                    suggestion: {
+                        description: 'Use secure session configuration',
+                        example: `// Secure session configuration:
+app.use(session({
+  secret: process.env.SESSION_SECRET,
+  cookie: {
+    secure: true,
+    httpOnly: true,
+    sameSite: 'strict',
+    maxAge: 3600000 // 1 hour
+  },
+  resave: false,
+  saveUninitialized: false
+}));`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for credential exposure
+ */
+function checkCredentialExposure(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const exposurePatterns = [
+        // Password in logs
+        { pattern: /console\.(?:log|info|debug|warn|error)\s*\([^)]*(?:password|secret|token|key)/i, issue: 'Credential logged to console' },
+        { pattern: /logger\.(?:log|info|debug|warn|error)\s*\([^)]*(?:password|secret|token|key)/i, issue: 'Credential logged' },
+        // Password in URL
+        { pattern: /(?:href|url|redirect)\s*[:=].*[?&]password=/i, issue: 'Password in URL parameter' },
+        // Password in error message
+        { pattern: /(?:throw|Error)\s*\([^)]*password/i, issue: 'Password in error message' },
+        // Credential in response
+        { pattern: /res\.(?:json|send)\s*\([^)]*password/i, issue: 'Password in response body' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, issue } of exposurePatterns) {
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a07-exposure-${findings.length + 1}`,
+                    ruleId: 'owasp-a07-auth-failures',
+                    severity: 'critical',
+                    message: `Credential exposure risk: ${issue}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['312', '319', '532'],
+                    suggestion: {
+                        description: 'Never expose credentials in logs, URLs, or responses',
+                        example: `// Redact sensitive data:
+const safeUser = { ...user, password: '[REDACTED]' };
+console.log('User:', safeUser);`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+/**
+ * Check for missing brute-force protection
+ */
+function checkMissingBruteForceProtection(context, findings) {
+    const sourceCode = context.sourceCode;
+    // Check if this looks like a login handler
+    const hasLoginEndpoint = /(?:post|handle)\s*\(\s*['"`]\/(?:api\/)?(?:login|signin|authenticate)['"`]/i.test(sourceCode);
+    const hasRateLimiting = /(?:rateLimit|express-rate-limit|rate-limiter|limiter)/i.test(sourceCode);
+    const hasAccountLockout = /(?:lockout|attempt.*count|failed.*attempts|max.*attempts)/i.test(sourceCode);
+    if (hasLoginEndpoint && !hasRateLimiting && !hasAccountLockout) {
+        const lines = sourceCode.split('\n');
+        let loginLine = 0;
+        for (let i = 0; i < lines.length; i++) {
+            if (/(?:post|handle)\s*\(\s*['"`]\/(?:api\/)?(?:login|signin|authenticate)['"`]/i.test(lines[i])) {
+                loginLine = i;
+                break;
+            }
+        }
+        findings.push({
+            id: `owasp-a07-bruteforce-${findings.length + 1}`,
+            ruleId: 'owasp-a07-auth-failures',
+            severity: 'high',
+            message: 'Login endpoint without brute-force protection',
+            location: {
+                file: context.filePath,
+                startLine: loginLine + 1,
+                endLine: loginLine + 1,
+                startColumn: 0,
+                endColumn: lines[loginLine]?.length || 0,
+            },
+            cwe: ['307'],
+            suggestion: {
+                description: 'Add rate limiting and account lockout',
+                example: `// Use express-rate-limit:
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5, // 5 attempts
+  skipSuccessfulRequests: true
+});
+
+app.post('/login', loginLimiter, async (req, res) => {
+  // Also implement account lockout after N failed attempts
+});`,
+            },
+        });
+    }
+}
+/**
+ * Check for insecure token handling
+ */
+function checkInsecureTokenHandling(context, findings) {
+    const sourceCode = context.sourceCode;
+    const lines = sourceCode.split('\n');
+    const tokenPatterns = [
+        // JWT without verification
+        { pattern: /jwt\.decode\s*\(/i, issue: 'JWT decoded without signature verification' },
+        // JWT with 'none' algorithm
+        { pattern: /algorithm\s*[:=]\s*['"`]none['"`]/i, issue: 'JWT with "none" algorithm' },
+        // Token in localStorage
+        { pattern: /localStorage\.setItem\s*\([^)]*(?:token|jwt|auth)/i, issue: 'Sensitive token stored in localStorage (XSS risk)' },
+        // Token in query string
+        { pattern: /[?&]token=/i, issue: 'Token passed in URL query string' },
+        // Long-lived tokens
+        { pattern: /expiresIn\s*[:=]\s*['"`](?:30d|365d|1y)['"`]/i, issue: 'Excessively long token expiration' },
+        // Missing token expiration
+        { pattern: /jwt\.sign\s*\([^)]*(?!expiresIn)/i, issue: 'JWT without expiration' },
+    ];
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        for (const { pattern, issue } of tokenPatterns) {
+            if (pattern.test(line)) {
+                findings.push({
+                    id: `owasp-a07-token-${findings.length + 1}`,
+                    ruleId: 'owasp-a07-auth-failures',
+                    severity: 'high',
+                    message: `Insecure token handling: ${issue}`,
+                    location: {
+                        file: context.filePath,
+                        startLine: lineNum + 1,
+                        endLine: lineNum + 1,
+                        startColumn: 0,
+                        endColumn: line.length,
+                    },
+                    cwe: ['287', '311'],
+                    suggestion: {
+                        description: 'Use secure token practices',
+                        example: `// Secure JWT handling:
+const token = jwt.sign(payload, secret, {
+  algorithm: 'RS256',
+  expiresIn: '15m' // Short-lived access token
+});
+
+// Always verify tokens:
+const decoded = jwt.verify(token, publicKey);
+
+// Store tokens in httpOnly cookies, not localStorage`,
+                    },
+                });
+                break;
+            }
+        }
+    }
+}
+export default owaspA07AuthFailures;
+//# sourceMappingURL=a07-auth-failures.js.map

package/dist/rules/owasp/a07-auth-failures.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"a07-auth-failures.js","sourceRoot":"","sources":["../../../src/rules/owasp/a07-auth-failures.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAiB;IAChD,EAAE,EAAE,yBAAyB;IAC7B,IAAI,EAAE,6DAA6D;IACnE,WAAW,EAAE,uEAAuE;IACpF,eAAe,EAAE,UAAU;IAC3B,QAAQ,EAAE,gBAAgB;IAC1B,KAAK,EAAE,CAAC,UAAU,CAAC;IACnB,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC;IACpE,UAAU,EAAE;QACV;YACE,KAAK,EAAE,gBAAgB;YACvB,GAAG,EAAE,8EAA8E;SACpF;QACD;YACE,KAAK,EAAE,kCAAkC;YACzC,GAAG,EAAE,iDAAiD;SACvD;KACiB;IAEpB,KAAK,CAAC,OAAO,CAAC,OAAoB;QAChC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QAEnC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC3C,oBAAoB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACxC,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC3C,gCAAgC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACpD,0BAA0B,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAE9C,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF;;GAEG;AACH,SAAS,uBAAuB,CAAC,OAAoB,EAAE,QAAuB;IAC5E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,YAAY,GAAG;QACnB,2BAA2B;QAC3B,EAAE,OAAO,EAAE,8DAA8D,EAAE,KAAK,EAAE,oDAAoD,EAAE;QACxI,6BAA6B;QAC7B,EAAE,OAAO,EAAE,0CAA0C,EAAE,KAAK,EAAE,8BAA8B,EAAE;QAC9F,uBAAuB;QACvB,EAAE,OAAO,EAAE,mCAAmC,EAAE,KAAK,EAAE,4BAA4B,EAAE;QACrF,iCAAiC;QACjC,EAAE,OAAO,EAAE,oDAAoD,EAAE,KAAK,EAAE,gCAAgC,EAAE;KAC3G,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,YAAY,EAAE,CAAC;YAC9C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,sBAAsB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC/C,MAAM,EAAE,yBAAyB;oBACjC,QAAQ,EAAE,MAAM;oBAChB,OAAO,EAAE,yBAAyB,KAAK,EAAE;oBACzC,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,KAAK,CAAC;oBACZ,UAAU,EAAE;wBACV,WAAW,EAAE,gCAAgC;wBAC7C,OAAO,EAAE;;;;;;;GAOlB;qBACQ;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,OAAoB,EAAE,QAAuB;IACzE,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,eAAe,GAAG;QACtB,2BAA2B;QAC3B,EAAE,OAAO,EAAE,qBAAqB,EAAE,KAAK,EAAE,uCAAuC,EAAE;QAClF,EAAE,OAAO,EAAE,uBAAuB,EAAE,KAAK,EAAE,8CAA8C,EAAE;QAC3F,EAAE,OAAO,EAAE,gCAAgC,EAAE,KAAK,EAAE,uCAAuC,EAAE;QAC7F,sBAAsB;QACtB,EAAE,OAAO,EAAE,4DAA4D,EAAE,KAAK,EAAE,4CAA4C,EAAE;QAC9H,wBAAwB;QACxB,EAAE,OAAO,EAAE,gDAAgD,EAAE,KAAK,EAAE,0CAA0C,EAAE;QAChH,sCAAsC;QACtC,EAAE,OAAO,EAAE,wDAAwD,EAAE,KAAK,EAAE,mDAAmD,EAAE;KAClI,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,eAAe,EAAE,CAAC;YACjD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,qBAAqB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC9C,MAAM,EAAE,yBAAyB;oBACjC,QAAQ,EAAE,MAAM;oBAChB,OAAO,EAAE,gCAAgC,KAAK,EAAE;oBAChD,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;oBACnB,UAAU,EAAE;wBACV,WAAW,EAAE,kCAAkC;wBAC/C,OAAO,EAAE;;;;;;;;;;;KAWhB;qBACM;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,OAAoB,EAAE,QAAuB;IAC5E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,gBAAgB,GAAG;QACvB,mBAAmB;QACnB,EAAE,OAAO,EAAE,gFAAgF,EAAE,KAAK,EAAE,8BAA8B,EAAE;QACpI,EAAE,OAAO,EAAE,+EAA+E,EAAE,KAAK,EAAE,mBAAmB,EAAE;QACxH,kBAAkB;QAClB,EAAE,OAAO,EAAE,8CAA8C,EAAE,KAAK,EAAE,2BAA2B,EAAE;QAC/F,4BAA4B;QAC5B,EAAE,OAAO,EAAE,oCAAoC,EAAE,KAAK,EAAE,2BAA2B,EAAE;QACrF,yBAAyB;QACzB,EAAE,OAAO,EAAE,uCAAuC,EAAE,KAAK,EAAE,2BAA2B,EAAE;KACzF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,gBAAgB,EAAE,CAAC;YAClD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,sBAAsB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC/C,MAAM,EAAE,yBAAyB;oBACjC,QAAQ,EAAE,UAAU;oBACpB,OAAO,EAAE,6BAA6B,KAAK,EAAE;oBAC7C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC;oBAC1B,UAAU,EAAE;wBACV,WAAW,EAAE,sDAAsD;wBACnE,OAAO,EAAE;;gCAEW;qBACrB;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,gCAAgC,CAAC,OAAoB,EAAE,QAAuB;IACrF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAEtC,2CAA2C;IAC3C,MAAM,gBAAgB,GAAG,6EAA6E,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACxH,MAAM,eAAe,GAAG,wDAAwD,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClG,MAAM,iBAAiB,GAAG,4DAA4D,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAExG,IAAI,gBAAgB,IAAI,CAAC,eAAe,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC/D,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,SAAS,GAAG,CAAC,CAAC;QAElB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,IAAI,6EAA6E,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjG,SAAS,GAAG,CAAC,CAAC;gBACd,MAAM;YACR,CAAC;QACH,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC;YACZ,EAAE,EAAE,wBAAwB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;YACjD,MAAM,EAAE,yBAAyB;YACjC,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,+CAA+C;YACxD,QAAQ,EAAE;gBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;gBACtB,SAAS,EAAE,SAAS,GAAG,CAAC;gBACxB,OAAO,EAAE,SAAS,GAAG,CAAC;gBACtB,WAAW,EAAE,CAAC;gBACd,SAAS,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,MAAM,IAAI,CAAC;aACzC;YACD,GAAG,EAAE,CAAC,KAAK,CAAC;YACZ,UAAU,EAAE;gBACV,WAAW,EAAE,uCAAuC;gBACpD,OAAO,EAAE;;;;;;;;;IASb;aACG;SACF,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,0BAA0B,CAAC,OAAoB,EAAE,QAAuB;IAC/E,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,MAAM,aAAa,GAAG;QACpB,2BAA2B;QAC3B,EAAE,OAAO,EAAE,mBAAmB,EAAE,KAAK,EAAE,4CAA4C,EAAE;QACrF,4BAA4B;QAC5B,EAAE,OAAO,EAAE,oCAAoC,EAAE,KAAK,EAAE,2BAA2B,EAAE;QACrF,wBAAwB;QACxB,EAAE,OAAO,EAAE,oDAAoD,EAAE,KAAK,EAAE,mDAAmD,EAAE;QAC7H,wBAAwB;QACxB,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,kCAAkC,EAAE;QACrE,oBAAoB;QACpB,EAAE,OAAO,EAAE,+CAA+C,EAAE,KAAK,EAAE,mCAAmC,EAAE;QACxG,2BAA2B;QAC3B,EAAE,OAAO,EAAE,mCAAmC,EAAE,KAAK,EAAE,wBAAwB,EAAE;KAClF,CAAC;IAEF,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE,CAAC;QACxD,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;QAE5B,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,aAAa,EAAE,CAAC;YAC/C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,mBAAmB,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC5C,MAAM,EAAE,yBAAyB;oBACjC,QAAQ,EAAE,MAAM;oBAChB,OAAO,EAAE,4BAA4B,KAAK,EAAE;oBAC5C,QAAQ,EAAE;wBACR,IAAI,EAAE,OAAO,CAAC,QAAQ;wBACtB,SAAS,EAAE,OAAO,GAAG,CAAC;wBACtB,OAAO,EAAE,OAAO,GAAG,CAAC;wBACpB,WAAW,EAAE,CAAC;wBACd,SAAS,EAAE,IAAI,CAAC,MAAM;qBACvB;oBACD,GAAG,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;oBACnB,UAAU,EAAE;wBACV,WAAW,EAAE,4BAA4B;wBACzC,OAAO,EAAE;;;;;;;;;sDASiC;qBAC3C;iBACF,CAAC,CAAC;gBACH,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,eAAe,oBAAoB,CAAC"}

package/dist/rules/owasp/a08-integrity-failures.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @fileoverview OWASP A08:2021 - Software and Data Integrity Failures
+ * @module @nahisaho/musubix-security/rules/owasp/a08
+ * @trace REQ-SEC-OWASP-008
+ */
+import type { SecurityRule } from '../types.js';
+/**
+ * OWASP A08:2021 - Software and Data Integrity Failures
+ *
+ * Detects:
+ * - Insecure deserialization
+ * - Missing integrity verification
+ * - Untrusted CI/CD pipelines
+ * - Auto-update vulnerabilities
+ */
+export declare const owaspA08IntegrityFailures: SecurityRule;
+export default owaspA08IntegrityFailures;
+//# sourceMappingURL=a08-integrity-failures.d.ts.map

package/dist/rules/owasp/a08-integrity-failures.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"a08-integrity-failures.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp/a08-integrity-failures.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,YAAY,EAA2C,MAAM,aAAa,CAAC;AAEzF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,EAAE,YA8BvC,CAAC;AA8RF,eAAe,yBAAyB,CAAC"}