@nodesecure/js-x-ray 4.5.0 → 5.0.0

package/README.md

@@ -77,24 +77,23 @@ The analysis will return: `http` (in try), `crypto`, `util` and `fs`.
 
 This section describes how use `warnings` export.
 
-The structure of the `warnings` is as follows:
-```js
-/**
- * @property {object}  warnings                - The default values for Constants.
- * @property {string}  warnings[name]          - The default warning name (parsingError, unsafeImport etc...).
- * @property {string}  warnings[name].i18n     - i18n token.
- * @property {string}  warnings[name].code     - Used to perform unit tests.
- * @property {string}  warnings[name].severity - Warning severity.
- */
- 
-export const warnings = Object.freeze({
-    parsingError: {
-      i18n: "sast_warnings.ast_error"
-      code: "ast-error",
-      severity: "Information"
-    },
-    ...otherWarnings
-  });
+```ts
+type WarningName = "parsing-error"
+| "encoded-literal"
+| "unsafe-regex"
+| "unsafe-stmt"
+| "unsafe-assign"
+| "short-identifiers"
+| "suspicious-literal"
+| "obfuscated-code"
+| "weak-crypto"
+| "unsafe-import";
+
+declare const warnings: Record<WarningName, {
+  i18n: string;
+  severity: "Information" | "Warning" | "Critical";
+  experimental?: boolean;
+}>;
 ```
 
 We make a call to `i18n` through the package `NodeSecure/i18n` to get the translation.
@@ -103,7 +102,7 @@ We make a call to `i18n` through the package `NodeSecure/i18n` to get the transl
 import * as jsxray from "@nodesecure/js-x-ray";
 import * as i18n from "@nodesecure/i18n";
 
-console.log(i18n.getToken(jsxray.warnings.parsingError.i18n));
+console.log(i18n.getToken(jsxray.warnings["parsing-error"].i18n));
 ```
 
 ## Warnings Legends
@@ -142,7 +141,7 @@ The method take a first argument which is the code you want to analyse. It will
 ```ts
 interface Report {
     dependencies: ASTDeps;
-    warnings: Warning<BaseWarning>[];
+    warnings: Warning[];
     idsLengthAvg: number;
     stringScore: number;
     isOneLineRequire: boolean;
@@ -166,12 +165,12 @@ Run the SAST scanner on a given JavaScript file.
 ```ts
 export type ReportOnFile = {
   ok: true,
-  warnings: Warning<BaseWarning>[];
+  warnings: Warning[];
   dependencies: ASTDeps;
   isMinified: boolean;
 } | {
   ok: false,
-  warnings: Warning<BaseWarning>[];
+  warnings: Warning[];
 }
 ```
 

package/index.d.ts

@@ -1,140 +1,34 @@
-declare class ASTDeps {
-  constructor();
-  removeByName(name: string): void;
-  add(depName: string): void;
-  getDependenciesInTryStatement(): IterableIterator<string>;
-
-  public isInTryStmt: boolean;
-  public dependencies: Record<string, JSXRay.Dependency>;
-  public readonly size: number;
-}
-
-declare namespace JSXRay {
-  type kindWithValue = "parsing-error"
-    | "encoded-literal"
-    | "unsafe-regex"
-    | "unsafe-stmt"
-    | "unsafe-assign"
-    | "short-identifiers"
-    | "suspicious-literal"
-    | "obfuscated-code"
-    | "weak-crypto";
-
-  type WarningLocation = [[number, number], [number, number]];
-  interface BaseWarning {
-    kind: "unsafe-import" | kindWithValue;
-    file?: string;
-    value: string;
-    location: WarningLocation | WarningLocation[];
-  }
-
-  type Warning<T extends BaseWarning> = T extends { kind: kindWithValue } ? T : Omit<T, "value">;
-
-  interface Report {
-    dependencies: ASTDeps;
-    warnings: Warning<BaseWarning>[];
-    idsLengthAvg: number;
-    stringScore: number;
-    isOneLineRequire: boolean;
-  }
-
-  interface SourceLocation {
-    start: {
-      line: number;
-      column: number;
-    };
-    end: {
-      line: number;
-      column: number;
-    }
-  }
-
-  interface Dependency {
-    unsafe: boolean;
-    inTry: boolean;
-    location?: SourceLocation;
-  }
-
-  interface WarningsNames {
-    parsingError: {
-      code: "ast-error",
-      i18n: "sast_warnings.ast_error",
-      severity: "Information"
-    },
-    unsafeImport: {
-      code: "unsafe-import",
-      i18n: "sast_warnings.unsafe_import",
-      severity: "Warning"
-    },
-    unsafeRegex: {
-      code: "unsafe-regex",
-      i18n: "sast_warnings.unsafe_regex",
-      severity: "Warning"
-    },
-    unsafeStmt: {
-      code: "unsafe-stmt",
-      i18n: "sast_warnings.unsafe_stmt",
-      severity: "Warning"
-    },
-    unsafeAssign: {
-      code: "unsafe-assign",
-      i18n: "sast_warnings.unsafe_assign",
-      severity: "Warning"
-    },
-    encodedLiteral: {
-      code: "encoded-literal",
-      i18n: "sast_warnings.encoded_literal",
-      severity: "Information"
-    },
-    shortIdentifiers: {
-      code: "short-identifiers",
-      i18n: "sast_warnings.short_identifiers",
-      severity: "Warning"
-    },
-    suspiciousLiteral: {
-      code: "suspicious-literal",
-      i18n: "sast_warnings.suspicious_literal",
-      severity: "Warning"
-    },
-    obfuscatedCode: {
-      code: "obfuscated-code",
-      i18n: "sast_warnings.obfuscated_code",
-      severity: "Critical"
-    },
-    weakCrypto: {
-      code: "weak-crypto",
-      i18n: "sast_warnings.weak_crypto",
-      severity: "Information",
-      experimental: true
-   }
-  }
-
-  interface RuntimeOptions {
-    module?: boolean;
-    isMinified?: boolean;
-  }
-
-  export function runASTAnalysis(str: string, options?: RuntimeOptions): Report;
-
-  export type ReportOnFile = {
-    ok: true,
-    warnings: Warning<BaseWarning>[];
-    dependencies: ASTDeps;
-    isMinified: boolean;
-  } | {
-    ok: false,
-    warnings: Warning<BaseWarning>[];
-  }
-
-  export interface RuntimeFileOptions {
-    packageName?: string;
-    module?: boolean;
-  }
-
-  export function runASTAnalysisOnFile(pathToFile: string, options?: RuntimeFileOptions): Promise<ReportOnFile>;
-
-  export const warnings: WarningsNames;
-}
-
-export = JSXRay;
-export as namespace JSXRay;
+import {
+  runASTAnalysis,
+  runASTAnalysisOnFile,
+  Report,
+  ReportOnFile,
+  RuntimeFileOptions,
+  RuntimeOptions
+} from "./types/api";
+import {
+  Warning,
+  WarningDefault,
+  WarningLocation,
+  WarningName,
+  WarningNameWithValue
+} from "./types/warnings";
+import { ASTDeps } from "./types/astdeps";
+
+declare const warnings: Record<WarningName, Pick<WarningDefault, "experimental" | "i18n" | "severity">>;
+
+export {
+  warnings,
+  runASTAnalysis,
+  runASTAnalysisOnFile,
+  Report,
+  ReportOnFile,
+  RuntimeFileOptions,
+  RuntimeOptions,
+  ASTDeps,
+  Warning,
+  WarningDefault,
+  WarningLocation,
+  WarningName,
+  WarningNameWithValue
+}

package/index.js

@@ -9,6 +9,7 @@ import isMinified from "is-minified-code";
 
 // Import Internal Dependencies
 import Analysis from "./src/Analysis.js";
+import { warnings } from "./src/warnings.js";
 
 export function runASTAnalysis(str, options = Object.create(null)) {
   const { module = true, isMinified = false } = options;
@@ -83,59 +84,4 @@ export async function runASTAnalysisOnFile(pathToFile, options = {}) {
   }
 }
 
-export const warnings = Object.freeze({
-  parsingError: {
-    code: "ast-error",
-    i18n: "sast_warnings.ast_error",
-    severity: "Information"
-  },
-  unsafeImport: {
-    code: "unsafe-import",
-    i18n: "sast_warnings.unsafe_import",
-    severity: "Warning"
-  },
-  unsafeRegex: {
-    code: "unsafe-regex",
-    i18n: "sast_warnings.unsafe_regex",
-    severity: "Warning"
-  },
-  unsafeStmt: {
-    code: "unsafe-stmt",
-    i18n: "sast_warnings.unsafe_stmt",
-    severity: "Warning"
-  },
-  unsafeAssign: {
-    code: "unsafe-assign",
-    i18n: "sast_warnings.unsafe_assign",
-    severity: "Warning"
-  },
-  encodedLiteral: {
-    code: "encoded-literal",
-    i18n: "sast_warnings.encoded_literal",
-    severity: "Information"
-  },
-  shortIdentifiers: {
-    code: "short-identifiers",
-    i18n: "sast_warnings.short_identifiers",
-    severity: "Warning"
-  },
-  suspiciousLiteral: {
-    code: "suspicious-literal",
-    i18n: "sast_warnings.suspicious_literal",
-    severity: "Warning"
-  },
-  obfuscatedCode: {
-    code: "obfuscated-code",
-    i18n: "sast_warnings.obfuscated_code",
-    severity: "Critical",
-    experimental: true
-  },
-  weakCrypto: {
-    code: "weak-crypto",
-    i18n: "sast_warnings.weak_crypto",
-    severity: "Information",
-    experimental: true
-  }
-});
-
-
+export { warnings };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/js-x-ray",
-  "version": "4.5.0",
+  "version": "5.0.0",
   "description": "JavaScript AST XRay analysis",
   "type": "module",
   "exports": "./index.js",

package/src/Analysis.js

@@ -2,8 +2,9 @@
 import { Utils, Literal } from "@nodesecure/sec-literal";
 
 // Import Internal Dependencies
-import { rootLocation, toArrayLocation, generateWarning } from "./utils.js";
-import { warnings as _warnings, processMainModuleRequire } from "./constants.js";
+import { rootLocation, toArrayLocation } from "./utils.js";
+import { generateWarning } from "./warnings.js";
+import { processMainModuleRequire } from "./constants.js";
 import ASTDeps from "./ASTDeps.js";
 import { isObfuscatedCode, hasTrojanSource } from "./obfuscators/index.js";
 import { runOnProbes } from "./probes/index.js";
@@ -15,19 +16,6 @@ const kDictionaryStrParts = [
   "0123456789"
 ];
 
-const kWarningsNameStr = Object.freeze({
-  [_warnings.parsingError]: "parsing-error",
-  [_warnings.unsafeImport]: "unsafe-import",
-  [_warnings.unsafeRegex]: "unsafe-regex",
-  [_warnings.unsafeStmt]: "unsafe-stmt",
-  [_warnings.unsafeAssign]: "unsafe-assign",
-  [_warnings.encodedLiteral]: "encoded-literal",
-  [_warnings.shortIdentifiers]: "short-identifiers",
-  [_warnings.suspiciousLiteral]: "suspicious-literal",
-  [_warnings.obfuscatedCode]: "obfuscated-code",
-  [_warnings.weakCrypto]: "weak-crypto"
-});
-
 export default class Analysis {
   hasDictionaryString = false;
   hasPrefixedIdentifiers = false;
@@ -56,23 +44,24 @@ export default class Analysis {
     this.literalScores = [];
   }
 
-  addWarning(symbol, value, location = rootLocation()) {
-    if (symbol === _warnings.encodedLiteral && this.handledEncodedLiteralValues.has(value)) {
+  addWarning(name, value, location = rootLocation()) {
+    const isEncodedLiteral = name === "encoded-literal";
+    if (isEncodedLiteral && this.handledEncodedLiteralValues.has(value)) {
       const index = this.handledEncodedLiteralValues.get(value);
       this.warnings[index].location.push(toArrayLocation(location));
 
       return;
     }
-    const warningName = kWarningsNameStr[symbol];
-    this.warnings.push(generateWarning(warningName, { value, location }));
-    if (symbol === _warnings.encodedLiteral) {
+
+    this.warnings.push(generateWarning(name, { value, location }));
+    if (isEncodedLiteral) {
       this.handledEncodedLiteralValues.set(value, this.warnings.length - 1);
     }
   }
 
   analyzeSourceString(sourceString) {
     if (hasTrojanSource(sourceString)) {
-      this.addWarning(_warnings.obfuscatedCode, "trojan-source");
+      this.addWarning("obfuscated-code", "trojan-source");
     }
   }
 
@@ -107,7 +96,7 @@ export default class Analysis {
         this.counter.encodedArrayValue++;
       }
       else {
-        this.addWarning(_warnings.encodedLiteral, node.value, node.loc);
+        this.addWarning("encoded-literal", node.value, node.loc);
       }
     }
   }
@@ -116,7 +105,7 @@ export default class Analysis {
     this.counter.identifiers = this.identifiersName.length;
     const [isObfuscated, kind] = isObfuscatedCode(this);
     if (isObfuscated) {
-      this.addWarning(_warnings.obfuscatedCode, kind || "unknown");
+      this.addWarning("obfuscated-code", kind || "unknown");
     }
 
     const identifiersLengthArr = this.identifiersName
@@ -124,10 +113,10 @@ export default class Analysis {
 
     const [idsLengthAvg, stringScore] = [sum(identifiersLengthArr), sum(this.literalScores)];
     if (!isMinified && identifiersLengthArr.length > 5 && idsLengthAvg <= 1.5) {
-      this.addWarning(_warnings.shortIdentifiers, idsLengthAvg);
+      this.addWarning("short-identifiers", idsLengthAvg);
     }
     if (stringScore >= 3) {
-      this.addWarning(_warnings.suspiciousLiteral, stringScore);
+      this.addWarning("suspicious-literal", stringScore);
     }
 
     return { idsLengthAvg, stringScore, warnings: this.warnings };
@@ -149,5 +138,3 @@ export default class Analysis {
 function sum(arr = []) {
   return arr.length === 0 ? 0 : (arr.reduce((prev, curr) => prev + curr, 0) / arr.length);
 }
-
-Analysis.Warnings = _warnings;

package/src/constants.js

@@ -33,16 +33,3 @@ export const unsafeUnicodeControlCharacters = [
   "\u200F",
   "\u061C"
 ];
-
-export const warnings = Object.freeze({
-  parsingError: Symbol("ParsingError"),
-  unsafeImport: Symbol("UnsafeImport"),
-  unsafeRegex: Symbol("UnsafeRegex"),
-  unsafeStmt: Symbol("UnsafeStmt"),
-  unsafeAssign: Symbol("UnsafeAssign"),
-  encodedLiteral: Symbol("EncodedLiteral"),
-  shortIdentifiers: Symbol("ShortIdentifiers"),
-  suspiciousLiteral: Symbol("SuspiciousLiteral"),
-  obfuscatedCode: Symbol("ObfuscatedCode"),
-  weakCrypto: Symbol("WeakCrypto")
-});

package/src/probes/index.js

@@ -1,68 +1,68 @@
-// Import all the probes
-import isUnsafeCallee from "./isUnsafeCallee.js";
-import isLiteral from "./isLiteral.js";
-import isLiteralRegex from "./isLiteralRegex.js";
-import isRegexObject from "./isRegexObject.js";
-import isVariableDeclaration from "./isVariableDeclaration.js";
-import isAssignmentExprOrMemberExpr from "./isAssignmentExprOrMemberExpr.js";
-import isRequire from "./isRequire.js";
-import isImportDeclaration from "./isImportDeclaration.js";
-import isMemberExpression from "./isMemberExpression.js";
-import isArrayExpression from "./isArrayExpression.js";
-import isFunctionDeclaration from "./isFunctionDeclaration.js";
-import isAssignmentExpression from "./isAssignmentExpression.js";
-import isObjectExpression from "./isObjectExpression.js";
-import isUnaryExpression from "./isUnaryExpression.js";
-import isWeakCrypto from "./isWeakCrypto.js";
-
-// CONSTANTS
-const kListOfProbes = [
-  isUnsafeCallee,
-  isLiteral,
-  isLiteralRegex,
-  isRegexObject,
-  isVariableDeclaration,
-  isAssignmentExprOrMemberExpr,
-  isRequire,
-  isImportDeclaration,
-  isMemberExpression,
-  isAssignmentExpression,
-  isObjectExpression,
-  isArrayExpression,
-  isFunctionDeclaration,
-  isUnaryExpression,
-  isWeakCrypto
-];
-
-const kSymBreak = Symbol.for("breakWalk");
-const kSymSkip = Symbol.for("skipWalk");
-
-export function runOnProbes(node, analysis) {
-  const breakedGroups = new Set();
-
-  for (const probe of kListOfProbes) {
-    if (breakedGroups.has(probe.breakGroup)) {
-      continue;
-    }
-
-    const [isMatching, data = null] = probe.validateNode(node, analysis);
-    if (isMatching) {
-      const result = probe.main(node, { analysis, data });
-
-      if (result === kSymSkip) {
-        return "skip";
-      }
-      if (result === kSymBreak || probe.breakOnMatch) {
-        const breakGroup = probe.breakGroup || null;
-        if (breakGroup === null) {
-          break;
-        }
-        else {
-          breakedGroups.add(breakGroup);
-        }
-      }
-    }
-  }
-
-  return null;
-}
+// Import all the probes
+import isUnsafeCallee from "./isUnsafeCallee.js";
+import isLiteral from "./isLiteral.js";
+import isLiteralRegex from "./isLiteralRegex.js";
+import isRegexObject from "./isRegexObject.js";
+import isVariableDeclaration from "./isVariableDeclaration.js";
+import isAssignmentExprOrMemberExpr from "./isAssignmentExprOrMemberExpr.js";
+import isRequire from "./isRequire.js";
+import isImportDeclaration from "./isImportDeclaration.js";
+import isMemberExpression from "./isMemberExpression.js";
+import isArrayExpression from "./isArrayExpression.js";
+import isFunctionDeclaration from "./isFunctionDeclaration.js";
+import isAssignmentExpression from "./isAssignmentExpression.js";
+import isObjectExpression from "./isObjectExpression.js";
+import isUnaryExpression from "./isUnaryExpression.js";
+import isWeakCrypto from "./isWeakCrypto.js";
+
+// CONSTANTS
+const kListOfProbes = [
+  isUnsafeCallee,
+  isLiteral,
+  isLiteralRegex,
+  isRegexObject,
+  isVariableDeclaration,
+  isAssignmentExprOrMemberExpr,
+  isRequire,
+  isImportDeclaration,
+  isMemberExpression,
+  isAssignmentExpression,
+  isObjectExpression,
+  isArrayExpression,
+  isFunctionDeclaration,
+  isUnaryExpression,
+  isWeakCrypto
+];
+
+const kSymBreak = Symbol.for("breakWalk");
+const kSymSkip = Symbol.for("skipWalk");
+
+export function runOnProbes(node, analysis) {
+  const breakedGroups = new Set();
+
+  for (const probe of kListOfProbes) {
+    if (breakedGroups.has(probe.breakGroup)) {
+      continue;
+    }
+
+    const [isMatching, data = null] = probe.validateNode(node, analysis);
+    if (isMatching) {
+      const result = probe.main(node, { analysis, data });
+
+      if (result === kSymSkip) {
+        return "skip";
+      }
+      if (result === kSymBreak || probe.breakOnMatch) {
+        const breakGroup = probe.breakGroup || null;
+        if (breakGroup === null) {
+          break;
+        }
+        else {
+          breakedGroups.add(breakGroup);
+        }
+      }
+    }
+  }
+
+  return null;
+}

package/src/probes/isImportDeclaration.js

@@ -1,6 +1,3 @@
-// Require Internal Dependencies
-import { warnings } from "../constants.js";
-
 /**
  * @description Search for ESM ImportDeclaration
  * @see https://github.com/estree/estree/blob/master/es2015.md#importdeclaration
@@ -22,7 +19,7 @@ function main(node, options) {
   // Searching for dangerous import "data:text/javascript;..." statement.
   // see: https://2ality.com/2019/10/eval-via-import.html
   if (node.source.value.startsWith("data:text/javascript")) {
-    analysis.addWarning(warnings.unsafeImport, node.source.value, node.loc);
+    analysis.addWarning("unsafe-import", node.source.value, node.loc);
   }
   analysis.dependencies.add(node.source.value, node.loc);
 }

package/src/probes/isLiteral.js

@@ -5,7 +5,7 @@ import { builtinModules } from "repl";
 import { Hex } from "@nodesecure/sec-literal";
 
 // Import Internal Dependencies
-import { globalParts, warnings } from "../constants.js";
+import { globalParts } from "../constants.js";
 
 // CONSTANTS
 const kNodeDeps = new Set(builtinModules);
@@ -34,10 +34,10 @@ function main(node, options) {
     // then we add it to the dependencies list and we throw an unsafe-import at the current location.
     if (kNodeDeps.has(value)) {
       analysis.dependencies.add(value, node.loc);
-      analysis.addWarning(warnings.unsafeImport, null, node.loc);
+      analysis.addWarning("unsafe-import", null, node.loc);
     }
     else if (globalParts.has(value) || !Hex.isSafe(node.value)) {
-      analysis.addWarning(warnings.encodedLiteral, node.value, node.loc);
+      analysis.addWarning("encoded-literal", node.value, node.loc);
     }
   }
   // Else we are checking all other string with our suspect method

package/src/probes/isLiteralRegex.js

@@ -1,6 +1,5 @@
 // Require Internal Dependencies
 import { isLiteralRegex } from "../utils.js";
-import { warnings } from "../constants.js";
 
 // Require Third-party Dependencies
 import safeRegex from "safe-regex";
@@ -22,7 +21,7 @@ function main(node, options) {
 
   // We use the safe-regex package to detect whether or not regex is safe!
   if (!safeRegex(node.regex.pattern)) {
-    analysis.addWarning(warnings.unsafeRegex, node.regex.pattern, node.loc);
+    analysis.addWarning("unsafe-regex", node.regex.pattern, node.loc);
   }
 }
 

package/src/probes/isRegexObject.js

@@ -1,6 +1,5 @@
 // Import Internal Dependencies
 import { isLiteralRegex } from "../utils.js";
-import { warnings } from "../constants.js";
 
 // Import Third-party Dependencies
 import safeRegex from "safe-regex";
@@ -25,7 +24,7 @@ function main(node, options) {
 
   // We use the safe-regex package to detect whether or not regex is safe!
   if (!safeRegex(pattern)) {
-    analysis.addWarning(warnings.unsafeRegex, pattern, node.loc);
+    analysis.addWarning("unsafe-regex", pattern, node.loc);
   }
 }
 

package/src/probes/isRequire.js

@@ -1,160 +1,159 @@
-/* eslint-disable consistent-return */
-
-// Import Internal Dependencies
-import { isRequireGlobalMemberExpr, getMemberExprName, arrExprToString, concatBinaryExpr } from "../utils.js";
-import { warnings } from "../constants.js";
-
-// Import Third-party Dependencies
-import { Hex } from "@nodesecure/sec-literal";
-import { walk } from "estree-walker";
-
-function validateNode(node, analysis) {
-  return [
-    isRequireIdentifiers(node, analysis) ||
-    isRequireResolve(node) ||
-    isRequireMemberExpr(node)
-  ];
-}
-
-function isRequireResolve(node) {
-  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
-    return false;
-  }
-
-  return node.callee.object.name === "require" && node.callee.property.name === "resolve";
-}
-
-function isRequireMemberExpr(node) {
-  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
-    return false;
-  }
-
-  return isRequireGlobalMemberExpr(getMemberExprName(node.callee));
-}
-
-function isRequireIdentifiers(node, analysis) {
-  if (node.type !== "CallExpression") {
-    return false;
-  }
-  const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
-
-  return analysis.requireIdentifiers.has(fullName);
-}
-
-function main(node, options) {
-  const { analysis } = options;
-
-  const arg = node.arguments[0];
-  switch (arg.type) {
-    // const foo = "http"; require(foo);
-    case "Identifier":
-      if (analysis.identifiers.has(arg.name)) {
-        analysis.dependencies.add(analysis.identifiers.get(arg.name), node.loc);
-      }
-      else {
-        analysis.addWarning(warnings.unsafeImport, null, node.loc);
-      }
-      break;
-
-    // require("http")
-    case "Literal":
-      analysis.dependencies.add(arg.value, node.loc);
-      break;
-
-    // require(["ht" + "tp"])
-    case "ArrayExpression": {
-      const value = arrExprToString(arg.elements, analysis.identifiers).trim();
-      if (value === "") {
-        analysis.addWarning(warnings.unsafeImport, null, node.loc);
-      }
-      else {
-        analysis.dependencies.add(value, node.loc);
-      }
-      break;
-    }
-
-    // require("ht" + "tp");
-    case "BinaryExpression": {
-      if (arg.operator !== "+") {
-        break;
-      }
-
-      const value = concatBinaryExpr(arg, analysis.identifiers);
-      if (value === null) {
-        analysis.addWarning(warnings.unsafeImport, null, node.loc);
-      }
-      else {
-        analysis.dependencies.add(value, node.loc);
-      }
-      break;
-    }
-
-    // require(Buffer.from("...", "hex").toString());
-    case "CallExpression": {
-      const { dependencies } = parseRequireCallExpression(arg);
-      dependencies.forEach((depName) => analysis.dependencies.add(depName, node.loc, true));
-
-      analysis.addWarning(warnings.unsafeImport, null, node.loc);
-
-      // We skip walking the tree to avoid anymore warnings...
-      return Symbol.for("skipWalk");
-    }
-
-    default:
-      analysis.addWarning(warnings.unsafeImport, null, node.loc);
-  }
-}
-
-function parseRequireCallExpression(nodeToWalk) {
-  const dependencies = new Set();
-
-  walk(nodeToWalk, {
-    enter(node) {
-      if (node.type !== "CallExpression" || node.arguments.length === 0) {
-        return;
-      }
-
-      if (node.arguments[0].type === "Literal" && Hex.isHex(node.arguments[0].value)) {
-        dependencies.add(Buffer.from(node.arguments[0].value, "hex").toString());
-
-        return this.skip();
-      }
-
-      const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
-      switch (fullName) {
-        case "Buffer.from": {
-          const [element, convert] = node.arguments;
-
-          if (element.type === "ArrayExpression") {
-            const depName = arrExprToString(element);
-            if (depName.trim() !== "") {
-              dependencies.add(depName);
-            }
-          }
-          else if (element.type === "Literal" && convert.type === "Literal" && convert.value === "hex") {
-            const value = Buffer.from(element.value, "hex").toString();
-            dependencies.add(value);
-          }
-          break;
-        }
-        case "require.resolve": {
-          const [element] = node.arguments;
-
-          if (element.type === "Literal") {
-            dependencies.add(element.value);
-          }
-          break;
-        }
-      }
-    }
-  });
-
-  return {
-    dependencies: [...dependencies]
-  };
-}
-
-export default {
-  name: "isRequire",
-  validateNode, main, breakOnMatch: true, breakGroup: "import"
-};
+/* eslint-disable consistent-return */
+
+// Import Internal Dependencies
+import { isRequireGlobalMemberExpr, getMemberExprName, arrExprToString, concatBinaryExpr } from "../utils.js";
+
+// Import Third-party Dependencies
+import { Hex } from "@nodesecure/sec-literal";
+import { walk } from "estree-walker";
+
+function validateNode(node, analysis) {
+  return [
+    isRequireIdentifiers(node, analysis) ||
+    isRequireResolve(node) ||
+    isRequireMemberExpr(node)
+  ];
+}
+
+function isRequireResolve(node) {
+  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
+    return false;
+  }
+
+  return node.callee.object.name === "require" && node.callee.property.name === "resolve";
+}
+
+function isRequireMemberExpr(node) {
+  if (node.type !== "CallExpression" || node.callee.type !== "MemberExpression") {
+    return false;
+  }
+
+  return isRequireGlobalMemberExpr(getMemberExprName(node.callee));
+}
+
+function isRequireIdentifiers(node, analysis) {
+  if (node.type !== "CallExpression") {
+    return false;
+  }
+  const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
+
+  return analysis.requireIdentifiers.has(fullName);
+}
+
+function main(node, options) {
+  const { analysis } = options;
+
+  const arg = node.arguments[0];
+  switch (arg.type) {
+    // const foo = "http"; require(foo);
+    case "Identifier":
+      if (analysis.identifiers.has(arg.name)) {
+        analysis.dependencies.add(analysis.identifiers.get(arg.name), node.loc);
+      }
+      else {
+        analysis.addWarning("unsafe-import", null, node.loc);
+      }
+      break;
+
+    // require("http")
+    case "Literal":
+      analysis.dependencies.add(arg.value, node.loc);
+      break;
+
+    // require(["ht" + "tp"])
+    case "ArrayExpression": {
+      const value = arrExprToString(arg.elements, analysis.identifiers).trim();
+      if (value === "") {
+        analysis.addWarning("unsafe-import", null, node.loc);
+      }
+      else {
+        analysis.dependencies.add(value, node.loc);
+      }
+      break;
+    }
+
+    // require("ht" + "tp");
+    case "BinaryExpression": {
+      if (arg.operator !== "+") {
+        break;
+      }
+
+      const value = concatBinaryExpr(arg, analysis.identifiers);
+      if (value === null) {
+        analysis.addWarning("unsafe-import", null, node.loc);
+      }
+      else {
+        analysis.dependencies.add(value, node.loc);
+      }
+      break;
+    }
+
+    // require(Buffer.from("...", "hex").toString());
+    case "CallExpression": {
+      const { dependencies } = parseRequireCallExpression(arg);
+      dependencies.forEach((depName) => analysis.dependencies.add(depName, node.loc, true));
+
+      analysis.addWarning("unsafe-import", null, node.loc);
+
+      // We skip walking the tree to avoid anymore warnings...
+      return Symbol.for("skipWalk");
+    }
+
+    default:
+      analysis.addWarning("unsafe-import", null, node.loc);
+  }
+}
+
+function parseRequireCallExpression(nodeToWalk) {
+  const dependencies = new Set();
+
+  walk(nodeToWalk, {
+    enter(node) {
+      if (node.type !== "CallExpression" || node.arguments.length === 0) {
+        return;
+      }
+
+      if (node.arguments[0].type === "Literal" && Hex.isHex(node.arguments[0].value)) {
+        dependencies.add(Buffer.from(node.arguments[0].value, "hex").toString());
+
+        return this.skip();
+      }
+
+      const fullName = node.callee.type === "MemberExpression" ? getMemberExprName(node.callee) : node.callee.name;
+      switch (fullName) {
+        case "Buffer.from": {
+          const [element, convert] = node.arguments;
+
+          if (element.type === "ArrayExpression") {
+            const depName = arrExprToString(element);
+            if (depName.trim() !== "") {
+              dependencies.add(depName);
+            }
+          }
+          else if (element.type === "Literal" && convert.type === "Literal" && convert.value === "hex") {
+            const value = Buffer.from(element.value, "hex").toString();
+            dependencies.add(value);
+          }
+          break;
+        }
+        case "require.resolve": {
+          const [element] = node.arguments;
+
+          if (element.type === "Literal") {
+            dependencies.add(element.value);
+          }
+          break;
+        }
+      }
+    }
+  });
+
+  return {
+    dependencies: [...dependencies]
+  };
+}
+
+export default {
+  name: "isRequire",
+  validateNode, main, breakOnMatch: true, breakGroup: "import"
+};

package/src/probes/isUnsafeCallee.js

@@ -1,6 +1,5 @@
 // Require Internal Dependencies
 import { isUnsafeCallee } from "../utils.js";
-import { warnings } from "../constants.js";
 
 /**
  * @description Detect unsafe statement
@@ -15,7 +14,7 @@ function validateNode(node) {
 function main(node, options) {
   const { analysis, data: calleeName } = options;
 
-  analysis.addWarning(warnings.unsafeStmt, calleeName, node.loc);
+  analysis.addWarning("unsafe-stmt", calleeName, node.loc);
 }
 
 export default {

package/src/probes/isVariableDeclaration.js

@@ -1,104 +1,104 @@
-// Require Internal Dependencies
-import { getIdName, getMemberExprName, isUnsafeCallee, isRequireGlobalMemberExpr } from "../utils.js";
-import { warnings, globalParts, processMainModuleRequire } from "../constants.js";
-
-// CONSTANTS
-const kUnsafeCallee = new Set(["eval", "Function"]);
-
-// In case we are matching a Variable declaration, we have to save the identifier
-// This allow the AST Analysis to retrieve required dependency when the stmt is mixed with variables.
-function validateNode(node) {
-  return [
-    node.type === "VariableDeclaration"
-  ];
-}
-
-function main(mainNode, options) {
-  const { analysis } = options;
-
-  analysis.varkinds[mainNode.kind]++;
-
-  for (const node of mainNode.declarations) {
-    analysis.idtypes.variableDeclarator++;
-    for (const name of getIdName(node.id)) {
-      analysis.identifiersName.push({ name, type: "variableDeclarator" });
-    }
-
-    if (node.init === null || node.id.type !== "Identifier") {
-      continue;
-    }
-
-    if (node.init.type === "Literal") {
-      analysis.identifiers.set(node.id.name, String(node.init.value));
-    }
-
-    // Searching for someone who assign require to a variable, ex:
-    // const r = require
-    else if (node.init.type === "Identifier") {
-      if (kUnsafeCallee.has(node.init.name)) {
-        analysis.addWarning(warnings.unsafeAssign, node.init.name, node.loc);
-      }
-      else if (analysis.requireIdentifiers.has(node.init.name)) {
-        analysis.requireIdentifiers.add(node.id.name);
-        analysis.addWarning(warnings.unsafeAssign, node.init.name, node.loc);
-      }
-      else if (globalParts.has(node.init.name)) {
-        analysis.globalParts.set(node.id.name, node.init.name);
-        getRequirablePatterns(analysis.globalParts)
-          .forEach((name) => analysis.requireIdentifiers.add(name));
-      }
-    }
-
-    // Same as before but for pattern like process.mainModule and require.resolve
-    else if (node.init.type === "MemberExpression") {
-      const value = getMemberExprName(node.init);
-      const members = value.split(".");
-
-      if (analysis.globalParts.has(members[0]) || members.every((part) => globalParts.has(part))) {
-        analysis.globalParts.set(node.id.name, members.slice(1).join("."));
-        analysis.addWarning(warnings.unsafeAssign, value, node.loc);
-      }
-      getRequirablePatterns(analysis.globalParts)
-        .forEach((name) => analysis.requireIdentifiers.add(name));
-
-      if (isRequireStatement(value)) {
-        analysis.requireIdentifiers.add(node.id.name);
-        analysis.addWarning(warnings.unsafeAssign, value, node.loc);
-      }
-    }
-    else if (isUnsafeCallee(node.init)[0]) {
-      analysis.globalParts.set(node.id.name, "global");
-      globalParts.add(node.id.name);
-      analysis.requireIdentifiers.add(`${node.id.name}.${processMainModuleRequire}`);
-    }
-  }
-}
-
-function isRequireStatement(value) {
-  return value.startsWith("require") ||
-    value.startsWith(processMainModuleRequire) ||
-    isRequireGlobalMemberExpr(value);
-}
-
-function getRequirablePatterns(parts) {
-  const result = new Set();
-
-  for (const [id, path] of parts.entries()) {
-    if (path === "process") {
-      result.add(`${id}.mainModule.require`);
-    }
-    else if (path === "mainModule") {
-      result.add(`${id}.require`);
-    }
-    else if (path.includes("require")) {
-      result.add(id);
-    }
-  }
-
-  return [...result];
-}
-
-export default {
-  name: "isVariableDeclaration",
-  validateNode, main, breakOnMatch: false
-};
+// Require Internal Dependencies
+import { getIdName, getMemberExprName, isUnsafeCallee, isRequireGlobalMemberExpr } from "../utils.js";
+import { globalParts, processMainModuleRequire } from "../constants.js";
+
+// CONSTANTS
+const kUnsafeCallee = new Set(["eval", "Function"]);
+
+// In case we are matching a Variable declaration, we have to save the identifier
+// This allow the AST Analysis to retrieve required dependency when the stmt is mixed with variables.
+function validateNode(node) {
+  return [
+    node.type === "VariableDeclaration"
+  ];
+}
+
+function main(mainNode, options) {
+  const { analysis } = options;
+
+  analysis.varkinds[mainNode.kind]++;
+
+  for (const node of mainNode.declarations) {
+    analysis.idtypes.variableDeclarator++;
+    for (const name of getIdName(node.id)) {
+      analysis.identifiersName.push({ name, type: "variableDeclarator" });
+    }
+
+    if (node.init === null || node.id.type !== "Identifier") {
+      continue;
+    }
+
+    if (node.init.type === "Literal") {
+      analysis.identifiers.set(node.id.name, String(node.init.value));
+    }
+
+    // Searching for someone who assign require to a variable, ex:
+    // const r = require
+    else if (node.init.type === "Identifier") {
+      if (kUnsafeCallee.has(node.init.name)) {
+        analysis.addWarning("unsafe-assign", node.init.name, node.loc);
+      }
+      else if (analysis.requireIdentifiers.has(node.init.name)) {
+        analysis.requireIdentifiers.add(node.id.name);
+        analysis.addWarning("unsafe-assign", node.init.name, node.loc);
+      }
+      else if (globalParts.has(node.init.name)) {
+        analysis.globalParts.set(node.id.name, node.init.name);
+        getRequirablePatterns(analysis.globalParts)
+          .forEach((name) => analysis.requireIdentifiers.add(name));
+      }
+    }
+
+    // Same as before but for pattern like process.mainModule and require.resolve
+    else if (node.init.type === "MemberExpression") {
+      const value = getMemberExprName(node.init);
+      const members = value.split(".");
+
+      if (analysis.globalParts.has(members[0]) || members.every((part) => globalParts.has(part))) {
+        analysis.globalParts.set(node.id.name, members.slice(1).join("."));
+        analysis.addWarning("unsafe-assign", value, node.loc);
+      }
+      getRequirablePatterns(analysis.globalParts)
+        .forEach((name) => analysis.requireIdentifiers.add(name));
+
+      if (isRequireStatement(value)) {
+        analysis.requireIdentifiers.add(node.id.name);
+        analysis.addWarning("unsafe-assign", value, node.loc);
+      }
+    }
+    else if (isUnsafeCallee(node.init)[0]) {
+      analysis.globalParts.set(node.id.name, "global");
+      globalParts.add(node.id.name);
+      analysis.requireIdentifiers.add(`${node.id.name}.${processMainModuleRequire}`);
+    }
+  }
+}
+
+function isRequireStatement(value) {
+  return value.startsWith("require") ||
+    value.startsWith(processMainModuleRequire) ||
+    isRequireGlobalMemberExpr(value);
+}
+
+function getRequirablePatterns(parts) {
+  const result = new Set();
+
+  for (const [id, path] of parts.entries()) {
+    if (path === "process") {
+      result.add(`${id}.mainModule.require`);
+    }
+    else if (path === "mainModule") {
+      result.add(`${id}.require`);
+    }
+    else if (path.includes("require")) {
+      result.add(id);
+    }
+  }
+
+  return [...result];
+}
+
+export default {
+  name: "isVariableDeclaration",
+  validateNode, main, breakOnMatch: false
+};

package/src/probes/isWeakCrypto.js

@@ -1,8 +1,5 @@
-// Internal Dependencies
-import { warnings } from "../constants.js";
-
-// Constants
-const weakAlgorithms = new Set(["md5", "sha1", "ripemd160", "md4", "md2"]);
+// CONSTANTS
+const kWeakAlgorithms = new Set(["md5", "sha1", "ripemd160", "md4", "md2"]);
 
 function validateNode(node) {
   const isCallExpression = node.type === "CallExpression";
@@ -21,10 +18,10 @@ function main(node, { analysis }) {
   const isCryptoImported = analysis.dependencies.has("crypto");
 
   if (
-    weakAlgorithms.has(arg.value) &&
+    kWeakAlgorithms.has(arg.value) &&
     isCryptoImported
   ) {
-    analysis.addWarning(warnings.weakCrypto, arg.value, node.loc);
+    analysis.addWarning("weak-crypto", arg.value, node.loc);
   }
 }
 

package/src/utils.js

@@ -164,25 +164,3 @@ export function toArrayLocation(location = rootLocation()) {
 
   return [[start.line || 0, start.column || 0], [end.line || 0, end.column || 0]];
 }
-
-export function generateWarning(kind, options) {
-  const { location, file = null, value = null } = options;
-
-  if (kind === "encoded-literal") {
-    return { kind, value, location: [toArrayLocation(location)] };
-  }
-
-  const result = { kind, location: toArrayLocation(location) };
-  if (notNullOrUndefined(file)) {
-    result.file = file;
-  }
-  if (notNullOrUndefined(value)) {
-    result.value = value;
-  }
-
-  if (kExperimentalWarnings.has(kind)) {
-    result.experimental = true;
-  }
-
-  return result;
-}

package/src/warnings.js

@@ -0,0 +1,70 @@
+// Import Internal Dependencies
+import * as utils from "./utils.js";
+
+export const warnings = Object.freeze({
+  "ast-error": {
+    i18n: "sast_warnings.ast_error",
+    severity: "Information"
+  },
+  "unsafe-import": {
+    i18n: "sast_warnings.unsafe_import",
+    severity: "Warning"
+  },
+  "unsafe-regex": {
+    i18n: "sast_warnings.unsafe_regex",
+    severity: "Warning"
+  },
+  "unsafe-stmt": {
+    code: "unsafe-stmt",
+    i18n: "sast_warnings.unsafe_stmt",
+    severity: "Warning"
+  },
+  "unsafe-assign": {
+    i18n: "sast_warnings.unsafe_assign",
+    severity: "Warning"
+  },
+  "encoded-literal": {
+    i18n: "sast_warnings.encoded_literal",
+    severity: "Information"
+  },
+  "short-identifiers": {
+    i18n: "sast_warnings.short_identifiers",
+    severity: "Warning"
+  },
+  "suspicious-literal": {
+    i18n: "sast_warnings.suspicious_literal",
+    severity: "Warning"
+  },
+  "obfuscated-code": {
+    i18n: "sast_warnings.obfuscated_code",
+    severity: "Critical",
+    experimental: true
+  },
+  "weak-crypto": {
+    i18n: "sast_warnings.weak_crypto",
+    severity: "Information",
+    experimental: true
+  }
+});
+
+export function generateWarning(kind, options) {
+  const { location, file = null, value = null } = options;
+
+  if (kind === "encoded-literal") {
+    return Object.assign(
+      { kind, value, location: [utils.toArrayLocation(location)] },
+      warnings[kind]
+    );
+  }
+
+  const result = { kind, location: utils.toArrayLocation(location) };
+  if (utils.notNullOrUndefined(file)) {
+    result.file = file;
+  }
+  if (utils.notNullOrUndefined(value)) {
+    result.value = value;
+  }
+
+  return Object.assign(result, warnings[kind]);
+}
+