@oculum/scanner 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/formatters/cli-terminal.d.ts +27 -0
- package/dist/formatters/cli-terminal.d.ts.map +1 -0
- package/dist/formatters/cli-terminal.js +412 -0
- package/dist/formatters/cli-terminal.js.map +1 -0
- package/dist/formatters/github-comment.d.ts +41 -0
- package/dist/formatters/github-comment.d.ts.map +1 -0
- package/dist/formatters/github-comment.js +306 -0
- package/dist/formatters/github-comment.js.map +1 -0
- package/dist/formatters/grouping.d.ts +52 -0
- package/dist/formatters/grouping.d.ts.map +1 -0
- package/dist/formatters/grouping.js +152 -0
- package/dist/formatters/grouping.js.map +1 -0
- package/dist/formatters/index.d.ts +9 -0
- package/dist/formatters/index.d.ts.map +1 -0
- package/dist/formatters/index.js +35 -0
- package/dist/formatters/index.js.map +1 -0
- package/dist/formatters/vscode-diagnostic.d.ts +103 -0
- package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
- package/dist/formatters/vscode-diagnostic.js +151 -0
- package/dist/formatters/vscode-diagnostic.js.map +1 -0
- package/dist/index.d.ts +52 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +648 -0
- package/dist/index.js.map +1 -0
- package/dist/layer1/comments.d.ts +8 -0
- package/dist/layer1/comments.d.ts.map +1 -0
- package/dist/layer1/comments.js +203 -0
- package/dist/layer1/comments.js.map +1 -0
- package/dist/layer1/config-audit.d.ts +8 -0
- package/dist/layer1/config-audit.d.ts.map +1 -0
- package/dist/layer1/config-audit.js +252 -0
- package/dist/layer1/config-audit.js.map +1 -0
- package/dist/layer1/entropy.d.ts +8 -0
- package/dist/layer1/entropy.d.ts.map +1 -0
- package/dist/layer1/entropy.js +500 -0
- package/dist/layer1/entropy.js.map +1 -0
- package/dist/layer1/file-flags.d.ts +7 -0
- package/dist/layer1/file-flags.d.ts.map +1 -0
- package/dist/layer1/file-flags.js +112 -0
- package/dist/layer1/file-flags.js.map +1 -0
- package/dist/layer1/index.d.ts +36 -0
- package/dist/layer1/index.d.ts.map +1 -0
- package/dist/layer1/index.js +132 -0
- package/dist/layer1/index.js.map +1 -0
- package/dist/layer1/patterns.d.ts +8 -0
- package/dist/layer1/patterns.d.ts.map +1 -0
- package/dist/layer1/patterns.js +482 -0
- package/dist/layer1/patterns.js.map +1 -0
- package/dist/layer1/urls.d.ts +8 -0
- package/dist/layer1/urls.d.ts.map +1 -0
- package/dist/layer1/urls.js +296 -0
- package/dist/layer1/urls.js.map +1 -0
- package/dist/layer1/weak-crypto.d.ts +7 -0
- package/dist/layer1/weak-crypto.d.ts.map +1 -0
- package/dist/layer1/weak-crypto.js +291 -0
- package/dist/layer1/weak-crypto.js.map +1 -0
- package/dist/layer2/ai-agent-tools.d.ts +19 -0
- package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
- package/dist/layer2/ai-agent-tools.js +528 -0
- package/dist/layer2/ai-agent-tools.js.map +1 -0
- package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
- package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
- package/dist/layer2/ai-endpoint-protection.js +332 -0
- package/dist/layer2/ai-endpoint-protection.js.map +1 -0
- package/dist/layer2/ai-execution-sinks.d.ts +18 -0
- package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
- package/dist/layer2/ai-execution-sinks.js +496 -0
- package/dist/layer2/ai-execution-sinks.js.map +1 -0
- package/dist/layer2/ai-fingerprinting.d.ts +7 -0
- package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
- package/dist/layer2/ai-fingerprinting.js +654 -0
- package/dist/layer2/ai-fingerprinting.js.map +1 -0
- package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
- package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
- package/dist/layer2/ai-prompt-hygiene.js +356 -0
- package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
- package/dist/layer2/ai-rag-safety.d.ts +21 -0
- package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
- package/dist/layer2/ai-rag-safety.js +459 -0
- package/dist/layer2/ai-rag-safety.js.map +1 -0
- package/dist/layer2/ai-schema-validation.d.ts +25 -0
- package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
- package/dist/layer2/ai-schema-validation.js +375 -0
- package/dist/layer2/ai-schema-validation.js.map +1 -0
- package/dist/layer2/auth-antipatterns.d.ts +20 -0
- package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
- package/dist/layer2/auth-antipatterns.js +333 -0
- package/dist/layer2/auth-antipatterns.js.map +1 -0
- package/dist/layer2/byok-patterns.d.ts +12 -0
- package/dist/layer2/byok-patterns.d.ts.map +1 -0
- package/dist/layer2/byok-patterns.js +299 -0
- package/dist/layer2/byok-patterns.js.map +1 -0
- package/dist/layer2/dangerous-functions.d.ts +7 -0
- package/dist/layer2/dangerous-functions.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions.js +1375 -0
- package/dist/layer2/dangerous-functions.js.map +1 -0
- package/dist/layer2/data-exposure.d.ts +16 -0
- package/dist/layer2/data-exposure.d.ts.map +1 -0
- package/dist/layer2/data-exposure.js +279 -0
- package/dist/layer2/data-exposure.js.map +1 -0
- package/dist/layer2/framework-checks.d.ts +7 -0
- package/dist/layer2/framework-checks.d.ts.map +1 -0
- package/dist/layer2/framework-checks.js +388 -0
- package/dist/layer2/framework-checks.js.map +1 -0
- package/dist/layer2/index.d.ts +58 -0
- package/dist/layer2/index.d.ts.map +1 -0
- package/dist/layer2/index.js +380 -0
- package/dist/layer2/index.js.map +1 -0
- package/dist/layer2/logic-gates.d.ts +7 -0
- package/dist/layer2/logic-gates.d.ts.map +1 -0
- package/dist/layer2/logic-gates.js +182 -0
- package/dist/layer2/logic-gates.js.map +1 -0
- package/dist/layer2/risky-imports.d.ts +7 -0
- package/dist/layer2/risky-imports.d.ts.map +1 -0
- package/dist/layer2/risky-imports.js +161 -0
- package/dist/layer2/risky-imports.js.map +1 -0
- package/dist/layer2/variables.d.ts +8 -0
- package/dist/layer2/variables.d.ts.map +1 -0
- package/dist/layer2/variables.js +152 -0
- package/dist/layer2/variables.js.map +1 -0
- package/dist/layer3/anthropic.d.ts +83 -0
- package/dist/layer3/anthropic.d.ts.map +1 -0
- package/dist/layer3/anthropic.js +1745 -0
- package/dist/layer3/anthropic.js.map +1 -0
- package/dist/layer3/index.d.ts +24 -0
- package/dist/layer3/index.d.ts.map +1 -0
- package/dist/layer3/index.js +119 -0
- package/dist/layer3/index.js.map +1 -0
- package/dist/layer3/openai.d.ts +25 -0
- package/dist/layer3/openai.d.ts.map +1 -0
- package/dist/layer3/openai.js +238 -0
- package/dist/layer3/openai.js.map +1 -0
- package/dist/layer3/package-check.d.ts +63 -0
- package/dist/layer3/package-check.d.ts.map +1 -0
- package/dist/layer3/package-check.js +508 -0
- package/dist/layer3/package-check.js.map +1 -0
- package/dist/modes/incremental.d.ts +66 -0
- package/dist/modes/incremental.d.ts.map +1 -0
- package/dist/modes/incremental.js +200 -0
- package/dist/modes/incremental.js.map +1 -0
- package/dist/tiers.d.ts +125 -0
- package/dist/tiers.d.ts.map +1 -0
- package/dist/tiers.js +234 -0
- package/dist/tiers.js.map +1 -0
- package/dist/types.d.ts +175 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +50 -0
- package/dist/types.js.map +1 -0
- package/dist/utils/auth-helper-detector.d.ts +56 -0
- package/dist/utils/auth-helper-detector.d.ts.map +1 -0
- package/dist/utils/auth-helper-detector.js +360 -0
- package/dist/utils/auth-helper-detector.js.map +1 -0
- package/dist/utils/context-helpers.d.ts +96 -0
- package/dist/utils/context-helpers.d.ts.map +1 -0
- package/dist/utils/context-helpers.js +493 -0
- package/dist/utils/context-helpers.js.map +1 -0
- package/dist/utils/diff-detector.d.ts +53 -0
- package/dist/utils/diff-detector.d.ts.map +1 -0
- package/dist/utils/diff-detector.js +104 -0
- package/dist/utils/diff-detector.js.map +1 -0
- package/dist/utils/diff-parser.d.ts +80 -0
- package/dist/utils/diff-parser.d.ts.map +1 -0
- package/dist/utils/diff-parser.js +202 -0
- package/dist/utils/diff-parser.js.map +1 -0
- package/dist/utils/imported-auth-detector.d.ts +37 -0
- package/dist/utils/imported-auth-detector.d.ts.map +1 -0
- package/dist/utils/imported-auth-detector.js +251 -0
- package/dist/utils/imported-auth-detector.js.map +1 -0
- package/dist/utils/middleware-detector.d.ts +55 -0
- package/dist/utils/middleware-detector.d.ts.map +1 -0
- package/dist/utils/middleware-detector.js +260 -0
- package/dist/utils/middleware-detector.js.map +1 -0
- package/dist/utils/oauth-flow-detector.d.ts +41 -0
- package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
- package/dist/utils/oauth-flow-detector.js +202 -0
- package/dist/utils/oauth-flow-detector.js.map +1 -0
- package/dist/utils/path-exclusions.d.ts +55 -0
- package/dist/utils/path-exclusions.d.ts.map +1 -0
- package/dist/utils/path-exclusions.js +222 -0
- package/dist/utils/path-exclusions.js.map +1 -0
- package/dist/utils/project-context-builder.d.ts +119 -0
- package/dist/utils/project-context-builder.d.ts.map +1 -0
- package/dist/utils/project-context-builder.js +534 -0
- package/dist/utils/project-context-builder.js.map +1 -0
- package/dist/utils/registry-clients.d.ts +93 -0
- package/dist/utils/registry-clients.d.ts.map +1 -0
- package/dist/utils/registry-clients.js +273 -0
- package/dist/utils/registry-clients.js.map +1 -0
- package/dist/utils/trpc-analyzer.d.ts +78 -0
- package/dist/utils/trpc-analyzer.d.ts.map +1 -0
- package/dist/utils/trpc-analyzer.js +297 -0
- package/dist/utils/trpc-analyzer.js.map +1 -0
- package/package.json +45 -0
- package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
- package/src/__tests__/benchmark/fixtures/index.ts +68 -0
- package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
- package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
- package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
- package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
- package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
- package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
- package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
- package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
- package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
- package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
- package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
- package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
- package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
- package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
- package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
- package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
- package/src/__tests__/benchmark/index.ts +29 -0
- package/src/__tests__/benchmark/run-benchmark.ts +144 -0
- package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
- package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
- package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
- package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
- package/src/__tests__/benchmark/types.ts +144 -0
- package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
- package/src/__tests__/regression/known-false-positives.test.ts +467 -0
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
- package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
- package/src/__tests__/validation/analyze-results.ts +542 -0
- package/src/__tests__/validation/extract-for-triage.ts +146 -0
- package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
- package/src/__tests__/validation/run-validation.ts +364 -0
- package/src/__tests__/validation/triage-template.md +132 -0
- package/src/formatters/cli-terminal.ts +446 -0
- package/src/formatters/github-comment.ts +382 -0
- package/src/formatters/grouping.ts +190 -0
- package/src/formatters/index.ts +47 -0
- package/src/formatters/vscode-diagnostic.ts +243 -0
- package/src/index.ts +823 -0
- package/src/layer1/comments.ts +218 -0
- package/src/layer1/config-audit.ts +289 -0
- package/src/layer1/entropy.ts +583 -0
- package/src/layer1/file-flags.ts +127 -0
- package/src/layer1/index.ts +181 -0
- package/src/layer1/patterns.ts +516 -0
- package/src/layer1/urls.ts +334 -0
- package/src/layer1/weak-crypto.ts +328 -0
- package/src/layer2/ai-agent-tools.ts +601 -0
- package/src/layer2/ai-endpoint-protection.ts +387 -0
- package/src/layer2/ai-execution-sinks.ts +580 -0
- package/src/layer2/ai-fingerprinting.ts +758 -0
- package/src/layer2/ai-prompt-hygiene.ts +411 -0
- package/src/layer2/ai-rag-safety.ts +511 -0
- package/src/layer2/ai-schema-validation.ts +421 -0
- package/src/layer2/auth-antipatterns.ts +394 -0
- package/src/layer2/byok-patterns.ts +336 -0
- package/src/layer2/dangerous-functions.ts +1563 -0
- package/src/layer2/data-exposure.ts +315 -0
- package/src/layer2/framework-checks.ts +433 -0
- package/src/layer2/index.ts +473 -0
- package/src/layer2/logic-gates.ts +206 -0
- package/src/layer2/risky-imports.ts +186 -0
- package/src/layer2/variables.ts +166 -0
- package/src/layer3/anthropic.ts +2030 -0
- package/src/layer3/index.ts +130 -0
- package/src/layer3/package-check.ts +604 -0
- package/src/modes/incremental.ts +293 -0
- package/src/tiers.ts +318 -0
- package/src/types.ts +284 -0
- package/src/utils/auth-helper-detector.ts +443 -0
- package/src/utils/context-helpers.ts +535 -0
- package/src/utils/diff-detector.ts +135 -0
- package/src/utils/diff-parser.ts +272 -0
- package/src/utils/imported-auth-detector.ts +320 -0
- package/src/utils/middleware-detector.ts +333 -0
- package/src/utils/oauth-flow-detector.ts +246 -0
- package/src/utils/path-exclusions.ts +266 -0
- package/src/utils/project-context-builder.ts +707 -0
- package/src/utils/registry-clients.ts +351 -0
- package/src/utils/trpc-analyzer.ts +382 -0
|
@@ -0,0 +1,380 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Layer 2: Structural Scan
|
|
4
|
+
* Contextual analysis using variable heuristics, logic gate detection,
|
|
5
|
+
* dangerous functions, risky imports, auth anti-patterns, framework checks,
|
|
6
|
+
* and AI code fingerprinting
|
|
7
|
+
*/
|
|
8
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
+
exports.detectAISchemaValidation = exports.detectAIEndpointProtection = exports.detectRAGSafetyIssues = exports.detectAIAgentTools = exports.detectAIExecutionSinks = exports.detectAIPromptHygiene = exports.detectBYOKPatterns = exports.detectDataExposure = exports.detectAIFingerprints = exports.detectFrameworkIssues = exports.detectAuthAntipatterns = exports.detectRiskyImports = exports.detectDangerousFunctions = exports.detectLogicGates = exports.detectSensitiveVariables = void 0;
|
|
10
|
+
exports.runLayer2Scan = runLayer2Scan;
|
|
11
|
+
const auth_helper_detector_1 = require("../utils/auth-helper-detector");
|
|
12
|
+
const path_exclusions_1 = require("../utils/path-exclusions");
|
|
13
|
+
const variables_1 = require("./variables");
|
|
14
|
+
const logic_gates_1 = require("./logic-gates");
|
|
15
|
+
const dangerous_functions_1 = require("./dangerous-functions");
|
|
16
|
+
const risky_imports_1 = require("./risky-imports");
|
|
17
|
+
const auth_antipatterns_1 = require("./auth-antipatterns");
|
|
18
|
+
const framework_checks_1 = require("./framework-checks");
|
|
19
|
+
const ai_fingerprinting_1 = require("./ai-fingerprinting");
|
|
20
|
+
const data_exposure_1 = require("./data-exposure");
|
|
21
|
+
const byok_patterns_1 = require("./byok-patterns");
|
|
22
|
+
// Story B: AI-specific detection modules
|
|
23
|
+
const ai_prompt_hygiene_1 = require("./ai-prompt-hygiene");
|
|
24
|
+
const ai_execution_sinks_1 = require("./ai-execution-sinks");
|
|
25
|
+
const ai_agent_tools_1 = require("./ai-agent-tools");
|
|
26
|
+
// M5: New AI-era detectors
|
|
27
|
+
const ai_rag_safety_1 = require("./ai-rag-safety");
|
|
28
|
+
const ai_endpoint_protection_1 = require("./ai-endpoint-protection");
|
|
29
|
+
const ai_schema_validation_1 = require("./ai-schema-validation");
|
|
30
|
+
// Tier system imports
|
|
31
|
+
const tiers_1 = require("../tiers");
|
|
32
|
+
async function runLayer2Scan(files, options = {}) {
|
|
33
|
+
const startTime = Date.now();
|
|
34
|
+
const vulnerabilities = [];
|
|
35
|
+
const stats = {
|
|
36
|
+
variables: 0,
|
|
37
|
+
logicGates: 0,
|
|
38
|
+
dangerousFunctions: 0,
|
|
39
|
+
riskyImports: 0,
|
|
40
|
+
authAntipatterns: 0,
|
|
41
|
+
frameworkIssues: 0,
|
|
42
|
+
aiFingerprints: 0,
|
|
43
|
+
dataExposure: 0,
|
|
44
|
+
byokPatterns: 0,
|
|
45
|
+
promptHygiene: 0,
|
|
46
|
+
executionSinks: 0,
|
|
47
|
+
agentTools: 0,
|
|
48
|
+
// M5: New AI-era detectors
|
|
49
|
+
ragSafety: 0,
|
|
50
|
+
endpointProtection: 0,
|
|
51
|
+
schemaValidation: 0,
|
|
52
|
+
};
|
|
53
|
+
// Detect auth helpers once for all files (if not already provided)
|
|
54
|
+
const authHelperContext = options.authHelperContext || (0, auth_helper_detector_1.detectAuthHelpers)(files);
|
|
55
|
+
for (const file of files) {
|
|
56
|
+
// Only scan code files for Layer 2 (skip configs, etc.)
|
|
57
|
+
if (isCodeFile(file.path)) {
|
|
58
|
+
// Existing scanners
|
|
59
|
+
const variableFindings = (0, variables_1.detectSensitiveVariables)(file.content, file.path);
|
|
60
|
+
const logicFindings = (0, logic_gates_1.detectLogicGates)(file.content, file.path);
|
|
61
|
+
// New Layer 2 scanners
|
|
62
|
+
const dangerousFuncFindings = (0, dangerous_functions_1.detectDangerousFunctions)(file.content, file.path);
|
|
63
|
+
const riskyImportFindings = (0, risky_imports_1.detectRiskyImports)(file.content, file.path);
|
|
64
|
+
const authFindings = (0, auth_antipatterns_1.detectAuthAntipatterns)(file.content, file.path, {
|
|
65
|
+
middlewareConfig: options.middlewareConfig,
|
|
66
|
+
authHelpers: authHelperContext,
|
|
67
|
+
fileAuthImports: options.fileAuthImports,
|
|
68
|
+
});
|
|
69
|
+
const frameworkFindings = (0, framework_checks_1.detectFrameworkIssues)(file.content, file.path);
|
|
70
|
+
const aiFindings = (0, ai_fingerprinting_1.detectAIFingerprints)(file.content, file.path);
|
|
71
|
+
const dataExposureFindings = (0, data_exposure_1.detectDataExposure)(file.content, file.path);
|
|
72
|
+
const byokFindings = (0, byok_patterns_1.detectBYOKPatterns)(file.content, file.path, options.middlewareConfig);
|
|
73
|
+
// Story B: AI-specific detection (prompt hygiene, execution sinks, agent tools)
|
|
74
|
+
const promptHygieneFindings = (0, ai_prompt_hygiene_1.detectAIPromptHygiene)(file.content, file.path);
|
|
75
|
+
const executionSinkFindings = (0, ai_execution_sinks_1.detectAIExecutionSinks)(file.content, file.path);
|
|
76
|
+
const agentToolFindings = (0, ai_agent_tools_1.detectAIAgentTools)(file.content, file.path);
|
|
77
|
+
// M5: New AI-era detectors
|
|
78
|
+
const ragSafetyFindings = (0, ai_rag_safety_1.detectRAGSafetyIssues)(file.content, file.path);
|
|
79
|
+
const endpointProtectionFindings = (0, ai_endpoint_protection_1.detectAIEndpointProtection)(file.content, file.path, {
|
|
80
|
+
middlewareConfig: options.middlewareConfig,
|
|
81
|
+
});
|
|
82
|
+
const schemaValidationFindings = (0, ai_schema_validation_1.detectAISchemaValidation)(file.content, file.path);
|
|
83
|
+
stats.variables += variableFindings.length;
|
|
84
|
+
stats.logicGates += logicFindings.length;
|
|
85
|
+
stats.dangerousFunctions += dangerousFuncFindings.length;
|
|
86
|
+
stats.riskyImports += riskyImportFindings.length;
|
|
87
|
+
stats.authAntipatterns += authFindings.length;
|
|
88
|
+
stats.frameworkIssues += frameworkFindings.length;
|
|
89
|
+
stats.aiFingerprints += aiFindings.length;
|
|
90
|
+
stats.dataExposure += dataExposureFindings.length;
|
|
91
|
+
stats.byokPatterns += byokFindings.length;
|
|
92
|
+
stats.promptHygiene += promptHygieneFindings.length;
|
|
93
|
+
stats.executionSinks += executionSinkFindings.length;
|
|
94
|
+
stats.agentTools += agentToolFindings.length;
|
|
95
|
+
stats.ragSafety += ragSafetyFindings.length;
|
|
96
|
+
stats.endpointProtection += endpointProtectionFindings.length;
|
|
97
|
+
stats.schemaValidation += schemaValidationFindings.length;
|
|
98
|
+
vulnerabilities.push(...variableFindings, ...logicFindings, ...dangerousFuncFindings, ...riskyImportFindings, ...authFindings, ...frameworkFindings, ...aiFindings, ...dataExposureFindings, ...byokFindings, ...promptHygieneFindings, ...executionSinkFindings, ...agentToolFindings, ...ragSafetyFindings, ...endpointProtectionFindings, ...schemaValidationFindings);
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
// Deduplicate findings
|
|
102
|
+
const dedupedVulnerabilities = deduplicateFindings(vulnerabilities);
|
|
103
|
+
// Apply path exclusions (test files, seed files, etc.)
|
|
104
|
+
// By default, exclude test and seed files unless explicitly disabled
|
|
105
|
+
const excludeTestFiles = options.excludeTestFiles !== false;
|
|
106
|
+
const excludeSeedFiles = options.excludeSeedFiles !== false;
|
|
107
|
+
// Build exclusion config based on options
|
|
108
|
+
const exclusionConfig = {};
|
|
109
|
+
if (!excludeTestFiles) {
|
|
110
|
+
exclusionConfig.testPatterns = [];
|
|
111
|
+
}
|
|
112
|
+
if (!excludeSeedFiles) {
|
|
113
|
+
exclusionConfig.seedPatterns = [];
|
|
114
|
+
}
|
|
115
|
+
if (options.customExclusions) {
|
|
116
|
+
// Add custom exclusions to all pattern types
|
|
117
|
+
exclusionConfig.testPatterns = [
|
|
118
|
+
...(exclusionConfig.testPatterns || []),
|
|
119
|
+
...options.customExclusions,
|
|
120
|
+
];
|
|
121
|
+
}
|
|
122
|
+
const { kept: uniqueVulnerabilities, suppressed } = (0, path_exclusions_1.filterFindingsByPath)(dedupedVulnerabilities, Object.keys(exclusionConfig).length > 0 ? exclusionConfig : undefined);
|
|
123
|
+
// Log suppressed findings
|
|
124
|
+
if (suppressed.length > 0) {
|
|
125
|
+
console.log(`[Layer 2] Suppressed ${suppressed.length} findings in test/seed/example files:`);
|
|
126
|
+
const byReason = new Map();
|
|
127
|
+
for (const { reason } of suppressed) {
|
|
128
|
+
byReason.set(reason || 'unknown', (byReason.get(reason || 'unknown') || 0) + 1);
|
|
129
|
+
}
|
|
130
|
+
for (const [reason, count] of byReason) {
|
|
131
|
+
console.log(` - ${reason}: ${count}`);
|
|
132
|
+
}
|
|
133
|
+
}
|
|
134
|
+
// Build raw stats map for logging
|
|
135
|
+
const rawStats = {
|
|
136
|
+
sensitive_variables: stats.variables,
|
|
137
|
+
logic_gates: stats.logicGates,
|
|
138
|
+
dangerous_functions: stats.dangerousFunctions,
|
|
139
|
+
risky_imports: stats.riskyImports,
|
|
140
|
+
auth_antipatterns: stats.authAntipatterns,
|
|
141
|
+
framework_issues: stats.frameworkIssues,
|
|
142
|
+
ai_fingerprints: stats.aiFingerprints,
|
|
143
|
+
data_exposure: stats.dataExposure,
|
|
144
|
+
byok_patterns: stats.byokPatterns,
|
|
145
|
+
ai_prompt_hygiene: stats.promptHygiene,
|
|
146
|
+
ai_execution_sinks: stats.executionSinks,
|
|
147
|
+
ai_agent_tools: stats.agentTools,
|
|
148
|
+
// M5: New AI-era detectors
|
|
149
|
+
ai_rag_safety: stats.ragSafety,
|
|
150
|
+
ai_endpoint_protection: stats.endpointProtection,
|
|
151
|
+
ai_schema_validation: stats.schemaValidation,
|
|
152
|
+
};
|
|
153
|
+
// Compute deduped counts per category
|
|
154
|
+
const dedupedStats = {};
|
|
155
|
+
for (const vuln of uniqueVulnerabilities) {
|
|
156
|
+
const cat = vuln.category;
|
|
157
|
+
dedupedStats[cat] = (dedupedStats[cat] || 0) + 1;
|
|
158
|
+
}
|
|
159
|
+
// Compute severity distribution
|
|
160
|
+
const severityStats = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
|
|
161
|
+
for (const vuln of uniqueVulnerabilities) {
|
|
162
|
+
severityStats[vuln.severity] = (severityStats[vuln.severity] || 0) + 1;
|
|
163
|
+
}
|
|
164
|
+
// Compute tier breakdown (all Layer 2 findings have layer: 2)
|
|
165
|
+
const tierStats = (0, tiers_1.computeTierStats)(uniqueVulnerabilities.map(v => ({ category: v.category, layer: 2 })));
|
|
166
|
+
// Map raw stats keys to detector names for tier lookup
|
|
167
|
+
const detectorNameMap = {
|
|
168
|
+
sensitive_variables: 'variables',
|
|
169
|
+
logic_gates: 'logic_gates',
|
|
170
|
+
dangerous_functions: 'dangerous_functions',
|
|
171
|
+
risky_imports: 'risky_imports',
|
|
172
|
+
auth_antipatterns: 'auth_antipatterns',
|
|
173
|
+
framework_issues: 'framework_checks',
|
|
174
|
+
ai_fingerprints: 'ai_fingerprinting',
|
|
175
|
+
data_exposure: 'data_exposure',
|
|
176
|
+
byok_patterns: 'byok_patterns',
|
|
177
|
+
ai_prompt_hygiene: 'ai_prompt_hygiene',
|
|
178
|
+
ai_execution_sinks: 'ai_execution_sinks',
|
|
179
|
+
ai_agent_tools: 'ai_agent_tools',
|
|
180
|
+
// M5: New AI-era detectors
|
|
181
|
+
ai_rag_safety: 'ai_rag_safety',
|
|
182
|
+
ai_endpoint_protection: 'ai_endpoint_protection',
|
|
183
|
+
ai_schema_validation: 'ai_schema_validation',
|
|
184
|
+
};
|
|
185
|
+
// Log heuristic breakdown (raw findings before dedupe) with tier info
|
|
186
|
+
console.log('[Layer 2] Heuristic breakdown (raw findings before dedupe):');
|
|
187
|
+
for (const [name, count] of Object.entries(rawStats)) {
|
|
188
|
+
if (count > 0) {
|
|
189
|
+
const detectorName = detectorNameMap[name];
|
|
190
|
+
const tier = detectorName ? (0, tiers_1.getLayer2DetectorTier)(detectorName) : 'unknown';
|
|
191
|
+
console.log(` - ${name}: ${count} (${tier})`);
|
|
192
|
+
}
|
|
193
|
+
}
|
|
194
|
+
console.log(`[Layer 2] Tier breakdown (after dedupe): ${(0, tiers_1.formatTierStats)(tierStats)}`);
|
|
195
|
+
return {
|
|
196
|
+
vulnerabilities: uniqueVulnerabilities,
|
|
197
|
+
filesScanned: files.filter(f => isCodeFile(f.path)).length,
|
|
198
|
+
duration: Date.now() - startTime,
|
|
199
|
+
stats: {
|
|
200
|
+
raw: rawStats,
|
|
201
|
+
deduped: dedupedStats,
|
|
202
|
+
bySeverity: severityStats,
|
|
203
|
+
tiers: tierStats,
|
|
204
|
+
suppressedByPath: suppressed.length,
|
|
205
|
+
},
|
|
206
|
+
};
|
|
207
|
+
}
|
|
208
|
+
// Check if file is a code file (not config/data)
|
|
209
|
+
function isCodeFile(filePath) {
|
|
210
|
+
const codeExtensions = [
|
|
211
|
+
'.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs',
|
|
212
|
+
'.py', '.rb', '.php', '.go', '.java', '.cs',
|
|
213
|
+
'.rs', '.swift', '.kt', '.scala',
|
|
214
|
+
];
|
|
215
|
+
return codeExtensions.some(ext => filePath.endsWith(ext));
|
|
216
|
+
}
|
|
217
|
+
// Remove duplicate findings on the same line and merge related findings
|
|
218
|
+
function deduplicateFindings(vulnerabilities) {
|
|
219
|
+
// First pass: exact deduplication by file:line:category
|
|
220
|
+
const seen = new Map();
|
|
221
|
+
for (const vuln of vulnerabilities) {
|
|
222
|
+
const key = `${vuln.filePath}:${vuln.lineNumber}:${vuln.category}`;
|
|
223
|
+
const existing = seen.get(key);
|
|
224
|
+
// Keep the higher severity finding
|
|
225
|
+
if (!existing || severityRank(vuln.severity) > severityRank(existing.severity)) {
|
|
226
|
+
seen.set(key, vuln);
|
|
227
|
+
}
|
|
228
|
+
}
|
|
229
|
+
// Second pass: merge findings on adjacent lines (within 3 lines) with same category
|
|
230
|
+
const dedupedList = Array.from(seen.values());
|
|
231
|
+
const merged = mergeAdjacentFindings(dedupedList);
|
|
232
|
+
// Third pass: subsume related categories (e.g., specific finding subsumes generic)
|
|
233
|
+
return subsumeRelatedFindings(merged);
|
|
234
|
+
}
|
|
235
|
+
// Merge findings on adjacent lines with the same category
|
|
236
|
+
function mergeAdjacentFindings(vulnerabilities) {
|
|
237
|
+
if (vulnerabilities.length <= 1)
|
|
238
|
+
return vulnerabilities;
|
|
239
|
+
// Group by file and category
|
|
240
|
+
const groups = new Map();
|
|
241
|
+
for (const vuln of vulnerabilities) {
|
|
242
|
+
const key = `${vuln.filePath}:${vuln.category}`;
|
|
243
|
+
const group = groups.get(key) || [];
|
|
244
|
+
group.push(vuln);
|
|
245
|
+
groups.set(key, group);
|
|
246
|
+
}
|
|
247
|
+
const result = [];
|
|
248
|
+
for (const [, group] of groups) {
|
|
249
|
+
if (group.length === 1) {
|
|
250
|
+
result.push(group[0]);
|
|
251
|
+
continue;
|
|
252
|
+
}
|
|
253
|
+
// Sort by line number
|
|
254
|
+
group.sort((a, b) => a.lineNumber - b.lineNumber);
|
|
255
|
+
// Merge adjacent findings (within 3 lines)
|
|
256
|
+
let current = group[0];
|
|
257
|
+
let mergedCount = 1;
|
|
258
|
+
for (let i = 1; i < group.length; i++) {
|
|
259
|
+
const next = group[i];
|
|
260
|
+
if (next.lineNumber - current.lineNumber <= 3) {
|
|
261
|
+
// Merge: keep higher severity, note the merge
|
|
262
|
+
mergedCount++;
|
|
263
|
+
if (severityRank(next.severity) > severityRank(current.severity)) {
|
|
264
|
+
current = {
|
|
265
|
+
...next,
|
|
266
|
+
title: current.title,
|
|
267
|
+
description: current.description,
|
|
268
|
+
};
|
|
269
|
+
}
|
|
270
|
+
}
|
|
271
|
+
else {
|
|
272
|
+
// Not adjacent - emit current and start new
|
|
273
|
+
if (mergedCount > 1) {
|
|
274
|
+
current = {
|
|
275
|
+
...current,
|
|
276
|
+
title: `${current.title} (${mergedCount} occurrences)`,
|
|
277
|
+
};
|
|
278
|
+
}
|
|
279
|
+
result.push(current);
|
|
280
|
+
current = next;
|
|
281
|
+
mergedCount = 1;
|
|
282
|
+
}
|
|
283
|
+
}
|
|
284
|
+
// Emit last
|
|
285
|
+
if (mergedCount > 1) {
|
|
286
|
+
current = {
|
|
287
|
+
...current,
|
|
288
|
+
title: `${current.title} (${mergedCount} occurrences)`,
|
|
289
|
+
};
|
|
290
|
+
}
|
|
291
|
+
result.push(current);
|
|
292
|
+
}
|
|
293
|
+
return result;
|
|
294
|
+
}
|
|
295
|
+
// Subsume related findings where a more specific finding covers a generic one
|
|
296
|
+
function subsumeRelatedFindings(vulnerabilities) {
|
|
297
|
+
// Define subsumption rules: specific category subsumes generic
|
|
298
|
+
const subsumptionRules = {
|
|
299
|
+
// SQL injection subsumes generic dangerous function
|
|
300
|
+
sql_injection: ['dangerous_function'],
|
|
301
|
+
// Command injection subsumes generic dangerous function
|
|
302
|
+
command_injection: ['dangerous_function'],
|
|
303
|
+
// XSS subsumes generic dangerous function
|
|
304
|
+
xss: ['dangerous_function'],
|
|
305
|
+
// Specific auth issues subsume generic missing auth
|
|
306
|
+
missing_auth: ['auth_antipattern'],
|
|
307
|
+
};
|
|
308
|
+
// Group by file and line
|
|
309
|
+
const byLocation = new Map();
|
|
310
|
+
for (const vuln of vulnerabilities) {
|
|
311
|
+
const key = `${vuln.filePath}:${vuln.lineNumber}`;
|
|
312
|
+
const group = byLocation.get(key) || [];
|
|
313
|
+
group.push(vuln);
|
|
314
|
+
byLocation.set(key, group);
|
|
315
|
+
}
|
|
316
|
+
const result = [];
|
|
317
|
+
for (const [, group] of byLocation) {
|
|
318
|
+
if (group.length === 1) {
|
|
319
|
+
result.push(group[0]);
|
|
320
|
+
continue;
|
|
321
|
+
}
|
|
322
|
+
// Check for subsumption
|
|
323
|
+
const toKeep = new Set(group);
|
|
324
|
+
for (const vuln of group) {
|
|
325
|
+
const subsumes = subsumptionRules[vuln.category];
|
|
326
|
+
if (subsumes) {
|
|
327
|
+
for (const other of group) {
|
|
328
|
+
if (subsumes.includes(other.category) && other !== vuln) {
|
|
329
|
+
toKeep.delete(other);
|
|
330
|
+
}
|
|
331
|
+
}
|
|
332
|
+
}
|
|
333
|
+
}
|
|
334
|
+
result.push(...toKeep);
|
|
335
|
+
}
|
|
336
|
+
return result;
|
|
337
|
+
}
|
|
338
|
+
function severityRank(severity) {
|
|
339
|
+
const ranks = {
|
|
340
|
+
critical: 4,
|
|
341
|
+
high: 3,
|
|
342
|
+
medium: 2,
|
|
343
|
+
low: 1,
|
|
344
|
+
info: 0,
|
|
345
|
+
};
|
|
346
|
+
return ranks[severity] || 0;
|
|
347
|
+
}
|
|
348
|
+
var variables_2 = require("./variables");
|
|
349
|
+
Object.defineProperty(exports, "detectSensitiveVariables", { enumerable: true, get: function () { return variables_2.detectSensitiveVariables; } });
|
|
350
|
+
var logic_gates_2 = require("./logic-gates");
|
|
351
|
+
Object.defineProperty(exports, "detectLogicGates", { enumerable: true, get: function () { return logic_gates_2.detectLogicGates; } });
|
|
352
|
+
var dangerous_functions_2 = require("./dangerous-functions");
|
|
353
|
+
Object.defineProperty(exports, "detectDangerousFunctions", { enumerable: true, get: function () { return dangerous_functions_2.detectDangerousFunctions; } });
|
|
354
|
+
var risky_imports_2 = require("./risky-imports");
|
|
355
|
+
Object.defineProperty(exports, "detectRiskyImports", { enumerable: true, get: function () { return risky_imports_2.detectRiskyImports; } });
|
|
356
|
+
var auth_antipatterns_2 = require("./auth-antipatterns");
|
|
357
|
+
Object.defineProperty(exports, "detectAuthAntipatterns", { enumerable: true, get: function () { return auth_antipatterns_2.detectAuthAntipatterns; } });
|
|
358
|
+
var framework_checks_2 = require("./framework-checks");
|
|
359
|
+
Object.defineProperty(exports, "detectFrameworkIssues", { enumerable: true, get: function () { return framework_checks_2.detectFrameworkIssues; } });
|
|
360
|
+
var ai_fingerprinting_2 = require("./ai-fingerprinting");
|
|
361
|
+
Object.defineProperty(exports, "detectAIFingerprints", { enumerable: true, get: function () { return ai_fingerprinting_2.detectAIFingerprints; } });
|
|
362
|
+
var data_exposure_2 = require("./data-exposure");
|
|
363
|
+
Object.defineProperty(exports, "detectDataExposure", { enumerable: true, get: function () { return data_exposure_2.detectDataExposure; } });
|
|
364
|
+
var byok_patterns_2 = require("./byok-patterns");
|
|
365
|
+
Object.defineProperty(exports, "detectBYOKPatterns", { enumerable: true, get: function () { return byok_patterns_2.detectBYOKPatterns; } });
|
|
366
|
+
// Story B: AI-specific detectors
|
|
367
|
+
var ai_prompt_hygiene_2 = require("./ai-prompt-hygiene");
|
|
368
|
+
Object.defineProperty(exports, "detectAIPromptHygiene", { enumerable: true, get: function () { return ai_prompt_hygiene_2.detectAIPromptHygiene; } });
|
|
369
|
+
var ai_execution_sinks_2 = require("./ai-execution-sinks");
|
|
370
|
+
Object.defineProperty(exports, "detectAIExecutionSinks", { enumerable: true, get: function () { return ai_execution_sinks_2.detectAIExecutionSinks; } });
|
|
371
|
+
var ai_agent_tools_2 = require("./ai-agent-tools");
|
|
372
|
+
Object.defineProperty(exports, "detectAIAgentTools", { enumerable: true, get: function () { return ai_agent_tools_2.detectAIAgentTools; } });
|
|
373
|
+
// M5: New AI-era detectors
|
|
374
|
+
var ai_rag_safety_2 = require("./ai-rag-safety");
|
|
375
|
+
Object.defineProperty(exports, "detectRAGSafetyIssues", { enumerable: true, get: function () { return ai_rag_safety_2.detectRAGSafetyIssues; } });
|
|
376
|
+
var ai_endpoint_protection_2 = require("./ai-endpoint-protection");
|
|
377
|
+
Object.defineProperty(exports, "detectAIEndpointProtection", { enumerable: true, get: function () { return ai_endpoint_protection_2.detectAIEndpointProtection; } });
|
|
378
|
+
var ai_schema_validation_2 = require("./ai-schema-validation");
|
|
379
|
+
Object.defineProperty(exports, "detectAISchemaValidation", { enumerable: true, get: function () { return ai_schema_validation_2.detectAISchemaValidation; } });
|
|
380
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/layer2/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAqEH,sCA0NC;AA3RD,wEAAyF;AAEzF,8DAGiC;AACjC,2CAAsD;AACtD,+CAAgD;AAChD,+DAAgE;AAChE,mDAAoD;AACpD,2DAA4D;AAC5D,yDAA0D;AAC1D,2DAA0D;AAC1D,mDAAoD;AACpD,mDAAoD;AACpD,yCAAyC;AACzC,2DAA2D;AAC3D,6DAA6D;AAC7D,qDAAqD;AACrD,2BAA2B;AAC3B,mDAAuD;AACvD,qEAAqE;AACrE,iEAAiE;AACjE,sBAAsB;AACtB,oCAMiB;AAmCV,KAAK,UAAU,aAAa,CACjC,KAAiB,EACjB,UAAyB,EAAE;IAE3B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;IAC5B,MAAM,eAAe,GAAoB,EAAE,CAAA;IAC3C,MAAM,KAAK,GAAG;QACZ,SAAS,EAAE,CAAC;QACZ,UAAU,EAAE,CAAC;QACb,kBAAkB,EAAE,CAAC;QACrB,YAAY,EAAE,CAAC;QACf,gBAAgB,EAAE,CAAC;QACnB,eAAe,EAAE,CAAC;QAClB,cAAc,EAAE,CAAC;QACjB,YAAY,EAAE,CAAC;QACf,YAAY,EAAE,CAAC;QACf,aAAa,EAAE,CAAC;QAChB,cAAc,EAAE,CAAC;QACjB,UAAU,EAAE,CAAC;QACb,2BAA2B;QAC3B,SAAS,EAAE,CAAC;QACZ,kBAAkB,EAAE,CAAC;QACrB,gBAAgB,EAAE,CAAC;KACpB,CAAA;IAED,mEAAmE;IACnE,MAAM,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,IAAI,IAAA,wCAAiB,EAAC,KAAK,CAAC,CAAA;IAE/E,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,wDAAwD;QACxD,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,oBAAoB;YACpB,MAAM,gBAAgB,GAAG,IAAA,oCAAwB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YAC1E,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YAE/D,uBAAuB;YACvB,MAAM,qBAAqB,GAAG,IAAA,8CAAwB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YAC/E,MAAM,mBAAmB,GAAG,IAAA,kCAAkB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YACvE,MAAM,YAAY,GAAG,IAAA,0CAAsB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE;gBACnE,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;gBAC1C,WAAW,EAAE,iBAAiB;gBAC9B,eAAe,EAAE,OAAO,CAAC,eAAe;aACzC,CAAC,CAAA;YACF,MAAM,iBAAiB,GAAG,IAAA,wCAAqB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YACxE,MAAM,UAAU,GAAG,IAAA,wCAAoB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YAChE,MAAM,oBAAoB,GAAG,IAAA,kCAAkB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YACxE,MAAM,YAAY,GAAG,IAAA,kCAAkB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,gBAAgB,CAAC,CAAA;YAE1F,gFAAgF;YAChF,MAAM,qBAAqB,GAAG,IAAA,yCAAqB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YAC5E,MAAM,qBAAqB,GAAG,IAAA,2CAAsB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YAC7E,MAAM,iBAAiB,GAAG,IAAA,mCAAkB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YAErE,2BAA2B;YAC3B,MAAM,iBAAiB,GAAG,IAAA,qCAAqB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YACxE,MAAM,0BAA0B,GAAG,IAAA,mDAA0B,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE;gBACrF,gBAAgB,EAAE,OAAO,CAAC,gBAAgB;aAC3C,CAAC,CAAA;YACF,MAAM,wBAAwB,GAAG,IAAA,+CAAwB,EAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAA;YAElF,KAAK,CAAC,SAAS,IAAI,gBAAgB,CAAC,MAAM,CAAA;YAC1C,KAAK,CAAC,UAAU,IAAI,aAAa,CAAC,MAAM,CAAA;YACxC,KAAK,CAAC,kBAAkB,IAAI,qBAAqB,CAAC,MAAM,CAAA;YACxD,KAAK,CAAC,YAAY,IAAI,mBAAmB,CAAC,MAAM,CAAA;YAChD,KAAK,CAAC,gBAAgB,IAAI,YAAY,CAAC,MAAM,CAAA;YAC7C,KAAK,CAAC,eAAe,IAAI,iBAAiB,CAAC,MAAM,CAAA;YACjD,KAAK,CAAC,cAAc,IAAI,UAAU,CAAC,MAAM,CAAA;YACzC,KAAK,CAAC,YAAY,IAAI,oBAAoB,CAAC,MAAM,CAAA;YACjD,KAAK,CAAC,YAAY,IAAI,YAAY,CAAC,MAAM,CAAA;YACzC,KAAK,CAAC,aAAa,IAAI,qBAAqB,CAAC,MAAM,CAAA;YACnD,KAAK,CAAC,cAAc,IAAI,qBAAqB,CAAC,MAAM,CAAA;YACpD,KAAK,CAAC,UAAU,IAAI,iBAAiB,CAAC,MAAM,CAAA;YAC5C,KAAK,CAAC,SAAS,IAAI,iBAAiB,CAAC,MAAM,CAAA;YAC3C,KAAK,CAAC,kBAAkB,IAAI,0BAA0B,CAAC,MAAM,CAAA;YAC7D,KAAK,CAAC,gBAAgB,IAAI,wBAAwB,CAAC,MAAM,CAAA;YAEzD,eAAe,CAAC,IAAI,CAClB,GAAG,gBAAgB,EACnB,GAAG,aAAa,EAChB,GAAG,qBAAqB,EACxB,GAAG,mBAAmB,EACtB,GAAG,YAAY,EACf,GAAG,iBAAiB,EACpB,GAAG,UAAU,EACb,GAAG,oBAAoB,EACvB,GAAG,YAAY,EACf,GAAG,qBAAqB,EACxB,GAAG,qBAAqB,EACxB,GAAG,iBAAiB,EACpB,GAAG,iBAAiB,EACpB,GAAG,0BAA0B,EAC7B,GAAG,wBAAwB,CAC5B,CAAA;QACH,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,MAAM,sBAAsB,GAAG,mBAAmB,CAAC,eAAe,CAAC,CAAA;IAEnE,uDAAuD;IACvD,qEAAqE;IACrE,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,KAAK,KAAK,CAAA;IAC3D,MAAM,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,KAAK,KAAK,CAAA;IAE3D,0CAA0C;IAC1C,MAAM,eAAe,GAA6B,EAAE,CAAA;IACpD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,eAAe,CAAC,YAAY,GAAG,EAAE,CAAA;IACnC,CAAC;IACD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,eAAe,CAAC,YAAY,GAAG,EAAE,CAAA;IACnC,CAAC;IACD,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC7B,6CAA6C;QAC7C,eAAe,CAAC,YAAY,GAAG;YAC7B,GAAG,CAAC,eAAe,CAAC,YAAY,IAAI,EAAE,CAAC;YACvC,GAAG,OAAO,CAAC,gBAAgB;SAC5B,CAAA;IACH,CAAC;IAED,MAAM,EAAE,IAAI,EAAE,qBAAqB,EAAE,UAAU,EAAE,GAAG,IAAA,sCAAoB,EACtE,sBAAsB,EACtB,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS,CACtE,CAAA;IAED,0BAA0B;IAC1B,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,wBAAwB,UAAU,CAAC,MAAM,uCAAuC,CAAC,CAAA;QAC7F,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAA;QAC1C,KAAK,MAAM,EAAE,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;YACpC,QAAQ,CAAC,GAAG,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;QACjF,CAAC;QACD,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,QAAQ,EAAE,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,OAAO,MAAM,KAAK,KAAK,EAAE,CAAC,CAAA;QACxC,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,MAAM,QAAQ,GAA2B;QACvC,mBAAmB,EAAE,KAAK,CAAC,SAAS;QACpC,WAAW,EAAE,KAAK,CAAC,UAAU;QAC7B,mBAAmB,EAAE,KAAK,CAAC,kBAAkB;QAC7C,aAAa,EAAE,KAAK,CAAC,YAAY;QACjC,iBAAiB,EAAE,KAAK,CAAC,gBAAgB;QACzC,gBAAgB,EAAE,KAAK,CAAC,eAAe;QACvC,eAAe,EAAE,KAAK,CAAC,cAAc;QACrC,aAAa,EAAE,KAAK,CAAC,YAAY;QACjC,aAAa,EAAE,KAAK,CAAC,YAAY;QACjC,iBAAiB,EAAE,KAAK,CAAC,aAAa;QACtC,kBAAkB,EAAE,KAAK,CAAC,cAAc;QACxC,cAAc,EAAE,KAAK,CAAC,UAAU;QAChC,2BAA2B;QAC3B,aAAa,EAAE,KAAK,CAAC,SAAS;QAC9B,sBAAsB,EAAE,KAAK,CAAC,kBAAkB;QAChD,oBAAoB,EAAE,KAAK,CAAC,gBAAgB;KAC7C,CAAA;IAED,sCAAsC;IACtC,MAAM,YAAY,GAA2B,EAAE,CAAA;IAC/C,KAAK,MAAM,IAAI,IAAI,qBAAqB,EAAE,CAAC;QACzC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAA;QACzB,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;IAClD,CAAC;IAED,gCAAgC;IAChC,MAAM,aAAa,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAA;IAClG,KAAK,MAAM,IAAI,IAAI,qBAAqB,EAAE,CAAC;QACzC,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;IACxE,CAAC;IAED,8DAA8D;IAC9D,MAAM,SAAS,GAAG,IAAA,wBAAgB,EAChC,qBAAqB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAU,EAAE,CAAC,CAAC,CAC9E,CAAA;IAED,uDAAuD;IACvD,MAAM,eAAe,GAAuC;QAC1D,mBAAmB,EAAE,WAAW;QAChC,WAAW,EAAE,aAAa;QAC1B,mBAAmB,EAAE,qBAAqB;QAC1C,aAAa,EAAE,eAAe;QAC9B,iBAAiB,EAAE,mBAAmB;QACtC,gBAAgB,EAAE,kBAAkB;QACpC,eAAe,EAAE,mBAAmB;QACpC,aAAa,EAAE,eAAe;QAC9B,aAAa,EAAE,eAAe;QAC9B,iBAAiB,EAAE,mBAAmB;QACtC,kBAAkB,EAAE,oBAAoB;QACxC,cAAc,EAAE,gBAAgB;QAChC,2BAA2B;QAC3B,aAAa,EAAE,eAAe;QAC9B,sBAAsB,EAAE,wBAAwB;QAChD,oBAAoB,EAAE,sBAAsB;KAC7C,CAAA;IAED,sEAAsE;IACtE,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAA;IAC1E,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QACrD,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YACd,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,CAAA;YAC1C,MAAM,IAAI,GAAG,YAAY,CAAC,CAAC,CAAC,IAAA,6BAAqB,EAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;YAC3E,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,KAAK,KAAK,KAAK,IAAI,GAAG,CAAC,CAAA;QAChD,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,4CAA4C,IAAA,uBAAe,EAAC,SAAS,CAAC,EAAE,CAAC,CAAA;IAErF,OAAO;QACL,eAAe,EAAE,qBAAqB;QACtC,YAAY,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM;QAC1D,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;QAChC,KAAK,EAAE;YACL,GAAG,EAAE,QAAQ;YACb,OAAO,EAAE,YAAY;YACrB,UAAU,EAAE,aAAa;YACzB,KAAK,EAAE,SAAS;YAChB,gBAAgB,EAAE,UAAU,CAAC,MAAM;SACpC;KACF,CAAA;AACH,CAAC;AAED,iDAAiD;AACjD,SAAS,UAAU,CAAC,QAAgB;IAClC,MAAM,cAAc,GAAG;QACrB,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;QAC5C,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK;QAC3C,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ;KACjC,CAAA;IAED,OAAO,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAA;AAC3D,CAAC;AAED,wEAAwE;AACxE,SAAS,mBAAmB,CAAC,eAAgC;IAC3D,wDAAwD;IACxD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAyB,CAAA;IAE7C,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAA;QAClE,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAE9B,mCAAmC;QACnC,IAAI,CAAC,QAAQ,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/E,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAA;QACrB,CAAC;IACH,CAAC;IAED,oFAAoF;IACpF,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAA;IAC7C,MAAM,MAAM,GAAG,qBAAqB,CAAC,WAAW,CAAC,CAAA;IAEjD,mFAAmF;IACnF,OAAO,sBAAsB,CAAC,MAAM,CAAC,CAAA;AACvC,CAAC;AAED,0DAA0D;AAC1D,SAAS,qBAAqB,CAAC,eAAgC;IAC7D,IAAI,eAAe,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,eAAe,CAAA;IAEvD,6BAA6B;IAC7B,MAAM,MAAM,GAAG,IAAI,GAAG,EAA2B,CAAA;IACjD,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAA;QAC/C,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAA;QACnC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChB,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACxB,CAAC;IAED,MAAM,MAAM,GAAoB,EAAE,CAAA;IAElC,KAAK,MAAM,CAAC,EAAE,KAAK,CAAC,IAAI,MAAM,EAAE,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;YACrB,SAAQ;QACV,CAAC;QAED,sBAAsB;QACtB,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAA;QAEjD,2CAA2C;QAC3C,IAAI,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACtB,IAAI,WAAW,GAAG,CAAC,CAAA;QAEnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YACrB,IAAI,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,EAAE,CAAC;gBAC9C,8CAA8C;gBAC9C,WAAW,EAAE,CAAA;gBACb,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACjE,OAAO,GAAG;wBACR,GAAG,IAAI;wBACP,KAAK,EAAE,OAAO,CAAC,KAAK;wBACpB,WAAW,EAAE,OAAO,CAAC,WAAW;qBACjC,CAAA;gBACH,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,4CAA4C;gBAC5C,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;oBACpB,OAAO,GAAG;wBACR,GAAG,OAAO;wBACV,KAAK,EAAE,GAAG,OAAO,CAAC,KAAK,KAAK,WAAW,eAAe;qBACvD,CAAA;gBACH,CAAC;gBACD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;gBACpB,OAAO,GAAG,IAAI,CAAA;gBACd,WAAW,GAAG,CAAC,CAAA;YACjB,CAAC;QACH,CAAC;QAED,YAAY;QACZ,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;YACpB,OAAO,GAAG;gBACR,GAAG,OAAO;gBACV,KAAK,EAAE,GAAG,OAAO,CAAC,KAAK,KAAK,WAAW,eAAe;aACvD,CAAA;QACH,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IACtB,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED,8EAA8E;AAC9E,SAAS,sBAAsB,CAAC,eAAgC;IAC9D,+DAA+D;IAC/D,MAAM,gBAAgB,GAA6B;QACjD,oDAAoD;QACpD,aAAa,EAAE,CAAC,oBAAoB,CAAC;QACrC,wDAAwD;QACxD,iBAAiB,EAAE,CAAC,oBAAoB,CAAC;QACzC,0CAA0C;QAC1C,GAAG,EAAE,CAAC,oBAAoB,CAAC;QAC3B,oDAAoD;QACpD,YAAY,EAAE,CAAC,kBAAkB,CAAC;KACnC,CAAA;IAED,yBAAyB;IACzB,MAAM,UAAU,GAAG,IAAI,GAAG,EAA2B,CAAA;IACrD,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACnC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,UAAU,EAAE,CAAA;QACjD,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAA;QACvC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChB,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IAC5B,CAAC;IAED,MAAM,MAAM,GAAoB,EAAE,CAAA;IAElC,KAAK,MAAM,CAAC,EAAE,KAAK,CAAC,IAAI,UAAU,EAAE,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;YACrB,SAAQ;QACV,CAAC;QAED,wBAAwB;QACxB,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;QAC7B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;YAChD,IAAI,QAAQ,EAAE,CAAC;gBACb,KAAK,MAAM,KAAK,IAAI,KAAK,EAAE,CAAC;oBAC1B,IAAI,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;wBACxD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;oBACtB,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAA;IACxB,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB;IACpC,MAAM,KAAK,GAA2B;QACpC,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;QACN,IAAI,EAAE,CAAC;KACR,CAAA;IACD,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAA;AAC7B,CAAC;AAED,yCAAsD;AAA7C,qHAAA,wBAAwB,OAAA;AACjC,6CAAgD;AAAvC,+GAAA,gBAAgB,OAAA;AACzB,6DAAgE;AAAvD,+HAAA,wBAAwB,OAAA;AACjC,iDAAoD;AAA3C,mHAAA,kBAAkB,OAAA;AAC3B,yDAA4D;AAAnD,2HAAA,sBAAsB,OAAA;AAC/B,uDAA0D;AAAjD,yHAAA,qBAAqB,OAAA;AAC9B,yDAA0D;AAAjD,yHAAA,oBAAoB,OAAA;AAC7B,iDAAoD;AAA3C,mHAAA,kBAAkB,OAAA;AAC3B,iDAAoD;AAA3C,mHAAA,kBAAkB,OAAA;AAC3B,iCAAiC;AACjC,yDAA2D;AAAlD,0HAAA,qBAAqB,OAAA;AAC9B,2DAA6D;AAApD,4HAAA,sBAAsB,OAAA;AAC/B,mDAAqD;AAA5C,oHAAA,kBAAkB,OAAA;AAC3B,2BAA2B;AAC3B,iDAAuD;AAA9C,sHAAA,qBAAqB,OAAA;AAC9B,mEAAqE;AAA5D,oIAAA,0BAA0B,OAAA;AACnC,+DAAiE;AAAxD,gIAAA,wBAAwB,OAAA"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Layer 2: Logic Gates Detection
|
|
3
|
+
* Identifies security bypass patterns and dangerous logic flows
|
|
4
|
+
*/
|
|
5
|
+
import type { Vulnerability } from '../types';
|
|
6
|
+
export declare function detectLogicGates(content: string, filePath: string): Vulnerability[];
|
|
7
|
+
//# sourceMappingURL=logic-gates.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"logic-gates.d.ts","sourceRoot":"","sources":["../../src/layer2/logic-gates.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AA8H7C,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,aAAa,EAAE,CA0CjB"}
|
|
@@ -0,0 +1,182 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Layer 2: Logic Gates Detection
|
|
4
|
+
* Identifies security bypass patterns and dangerous logic flows
|
|
5
|
+
*/
|
|
6
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
7
|
+
exports.detectLogicGates = detectLogicGates;
|
|
8
|
+
// Patterns for security bypass logic
|
|
9
|
+
const LOGIC_PATTERNS = [
|
|
10
|
+
// Development mode bypasses
|
|
11
|
+
{
|
|
12
|
+
name: 'Development mode security bypass',
|
|
13
|
+
pattern: /if\s*\(\s*process\.env\.NODE_ENV\s*[!=]==?\s*['"]production['"]\s*\)\s*(return\s+true|return\s*;|continue|break)/gi,
|
|
14
|
+
severity: 'high',
|
|
15
|
+
description: 'Security check bypassed in non-production environments',
|
|
16
|
+
suggestedFix: 'Remove development-only bypasses or ensure they cannot be triggered in production',
|
|
17
|
+
},
|
|
18
|
+
{
|
|
19
|
+
name: 'Development mode auth skip',
|
|
20
|
+
pattern: /if\s*\(\s*process\.env\.NODE_ENV\s*[!=]==?\s*['"]development['"]\s*\)/gi,
|
|
21
|
+
severity: 'medium',
|
|
22
|
+
description: 'Code path that only runs in development - verify no security implications',
|
|
23
|
+
suggestedFix: 'Ensure this development-only code does not bypass security controls',
|
|
24
|
+
},
|
|
25
|
+
// Auth bypasses
|
|
26
|
+
{
|
|
27
|
+
name: 'Authentication bypass pattern',
|
|
28
|
+
pattern: /if\s*\(\s*(true|1|!false)\s*\)\s*{\s*(return|next|resolve)/gi,
|
|
29
|
+
severity: 'critical',
|
|
30
|
+
description: 'Hardcoded truthy condition may bypass authentication',
|
|
31
|
+
suggestedFix: 'Remove hardcoded bypass and implement proper authentication check',
|
|
32
|
+
},
|
|
33
|
+
{
|
|
34
|
+
name: 'Commented auth check',
|
|
35
|
+
pattern: /\/\/\s*(if|await|return).*auth|\/\/.*verify.*token|\/\/.*check.*permission/gi,
|
|
36
|
+
severity: 'high',
|
|
37
|
+
description: 'Commented out authentication/authorization code detected',
|
|
38
|
+
suggestedFix: 'Remove commented code or restore the security check',
|
|
39
|
+
},
|
|
40
|
+
// Skip validation patterns
|
|
41
|
+
{
|
|
42
|
+
name: 'Validation skip',
|
|
43
|
+
pattern: /skipValidation\s*[=:]\s*true|validate\s*[=:]\s*false|noValidate\s*[=:]\s*true/gi,
|
|
44
|
+
severity: 'high',
|
|
45
|
+
description: 'Input validation explicitly disabled',
|
|
46
|
+
suggestedFix: 'Enable validation or ensure this is intentional and documented',
|
|
47
|
+
},
|
|
48
|
+
// Debug/test bypasses
|
|
49
|
+
{
|
|
50
|
+
name: 'Debug bypass',
|
|
51
|
+
pattern: /if\s*\(\s*(DEBUG|TEST|SKIP_AUTH|BYPASS|DISABLE_AUTH)\s*\)/gi,
|
|
52
|
+
severity: 'high',
|
|
53
|
+
description: 'Debug/test flag may bypass security controls',
|
|
54
|
+
suggestedFix: 'Remove debug bypasses before deploying to production',
|
|
55
|
+
},
|
|
56
|
+
// Unsafe defaults
|
|
57
|
+
{
|
|
58
|
+
name: 'Unsafe default allow',
|
|
59
|
+
pattern: /default\s*:\s*(return\s+true|allow|permit|grant)/gi,
|
|
60
|
+
severity: 'medium',
|
|
61
|
+
description: 'Default case allows access - should default to deny',
|
|
62
|
+
suggestedFix: 'Change default behavior to deny access (fail-safe defaults)',
|
|
63
|
+
},
|
|
64
|
+
// Empty catch blocks
|
|
65
|
+
{
|
|
66
|
+
name: 'Empty error handler',
|
|
67
|
+
pattern: /catch\s*\([^)]*\)\s*{\s*(\/\/.*)?}/gi,
|
|
68
|
+
severity: 'medium',
|
|
69
|
+
description: 'Empty catch block may hide security errors',
|
|
70
|
+
suggestedFix: 'Log the error or handle it appropriately',
|
|
71
|
+
},
|
|
72
|
+
// Disabled security features
|
|
73
|
+
{
|
|
74
|
+
name: 'Disabled CSRF protection',
|
|
75
|
+
pattern: /csrf\s*[=:]\s*false|disableCsrf|csrfProtection\s*[=:]\s*false/gi,
|
|
76
|
+
severity: 'high',
|
|
77
|
+
description: 'CSRF protection explicitly disabled',
|
|
78
|
+
suggestedFix: 'Enable CSRF protection for state-changing requests',
|
|
79
|
+
},
|
|
80
|
+
{
|
|
81
|
+
name: 'Disabled SSL verification',
|
|
82
|
+
pattern: /rejectUnauthorized\s*[=:]\s*false|verify\s*[=:]\s*false|ssl\s*[=:]\s*false|NODE_TLS_REJECT_UNAUTHORIZED/gi,
|
|
83
|
+
severity: 'critical',
|
|
84
|
+
description: 'SSL/TLS certificate verification disabled',
|
|
85
|
+
suggestedFix: 'Enable SSL verification to prevent man-in-the-middle attacks',
|
|
86
|
+
},
|
|
87
|
+
// Insecure comparisons
|
|
88
|
+
{
|
|
89
|
+
name: 'Timing attack vulnerable comparison',
|
|
90
|
+
pattern: /===?\s*['"][^'"]{20,}['"]|password\s*===?\s*|token\s*===?\s*|secret\s*===?\s*/gi,
|
|
91
|
+
severity: 'medium',
|
|
92
|
+
description: 'Direct string comparison may be vulnerable to timing attacks',
|
|
93
|
+
suggestedFix: 'Use constant-time comparison for secrets (e.g., crypto.timingSafeEqual)',
|
|
94
|
+
},
|
|
95
|
+
// Unsafe redirects
|
|
96
|
+
{
|
|
97
|
+
name: 'Open redirect vulnerability',
|
|
98
|
+
pattern: /redirect\s*\(\s*(req\.(query|params|body)\.|request\.|url\.)/gi,
|
|
99
|
+
severity: 'high',
|
|
100
|
+
description: 'Redirect URL from user input may allow open redirect attacks',
|
|
101
|
+
suggestedFix: 'Validate redirect URLs against an allowlist of trusted domains',
|
|
102
|
+
},
|
|
103
|
+
// Admin/superuser bypasses
|
|
104
|
+
{
|
|
105
|
+
name: 'Admin bypass pattern',
|
|
106
|
+
pattern: /if\s*\(\s*(isAdmin|isSuperUser|isRoot|role\s*===?\s*['"]admin['"])\s*\)\s*(return|continue|break)/gi,
|
|
107
|
+
severity: 'medium',
|
|
108
|
+
description: 'Admin role bypasses normal security checks',
|
|
109
|
+
suggestedFix: 'Ensure admin bypass is intentional and properly audited',
|
|
110
|
+
},
|
|
111
|
+
];
|
|
112
|
+
// Check if line is a comment
|
|
113
|
+
function isComment(line) {
|
|
114
|
+
const trimmed = line.trim();
|
|
115
|
+
return (trimmed.startsWith('//') ||
|
|
116
|
+
trimmed.startsWith('#') ||
|
|
117
|
+
trimmed.startsWith('*') ||
|
|
118
|
+
trimmed.startsWith('/*'));
|
|
119
|
+
}
|
|
120
|
+
function detectLogicGates(content, filePath) {
|
|
121
|
+
const vulnerabilities = [];
|
|
122
|
+
const lines = content.split('\n');
|
|
123
|
+
// Check each line against patterns
|
|
124
|
+
lines.forEach((line, index) => {
|
|
125
|
+
// Don't skip comments for the "commented auth check" pattern
|
|
126
|
+
const shouldSkipComments = !line.trim().startsWith('//');
|
|
127
|
+
for (const logicPattern of LOGIC_PATTERNS) {
|
|
128
|
+
// Skip comment lines for most patterns
|
|
129
|
+
if (shouldSkipComments && isComment(line) &&
|
|
130
|
+
logicPattern.name !== 'Commented auth check') {
|
|
131
|
+
continue;
|
|
132
|
+
}
|
|
133
|
+
const regex = new RegExp(logicPattern.pattern.source, logicPattern.pattern.flags);
|
|
134
|
+
if (regex.test(line)) {
|
|
135
|
+
vulnerabilities.push({
|
|
136
|
+
id: `logic-${filePath}-${index + 1}-${logicPattern.name}`,
|
|
137
|
+
filePath,
|
|
138
|
+
lineNumber: index + 1,
|
|
139
|
+
lineContent: line.trim(),
|
|
140
|
+
severity: logicPattern.severity,
|
|
141
|
+
category: 'security_bypass',
|
|
142
|
+
title: logicPattern.name,
|
|
143
|
+
description: logicPattern.description,
|
|
144
|
+
suggestedFix: logicPattern.suggestedFix,
|
|
145
|
+
confidence: 'medium',
|
|
146
|
+
layer: 2,
|
|
147
|
+
});
|
|
148
|
+
break; // Only report once per line
|
|
149
|
+
}
|
|
150
|
+
}
|
|
151
|
+
});
|
|
152
|
+
// Multi-line pattern detection (for more complex patterns)
|
|
153
|
+
const multiLineFindings = detectMultiLinePatterns(content, filePath);
|
|
154
|
+
vulnerabilities.push(...multiLineFindings);
|
|
155
|
+
return vulnerabilities;
|
|
156
|
+
}
|
|
157
|
+
// Detect patterns that span multiple lines
|
|
158
|
+
function detectMultiLinePatterns(content, filePath) {
|
|
159
|
+
const vulnerabilities = [];
|
|
160
|
+
const lines = content.split('\n');
|
|
161
|
+
// Detect try-catch with empty or minimal error handling
|
|
162
|
+
const tryCatchPattern = /try\s*{[\s\S]*?}\s*catch\s*\([^)]*\)\s*{\s*(\n\s*)*(\/\/[^\n]*)?\s*}/g;
|
|
163
|
+
let match;
|
|
164
|
+
while ((match = tryCatchPattern.exec(content)) !== null) {
|
|
165
|
+
const lineNumber = content.substring(0, match.index).split('\n').length;
|
|
166
|
+
vulnerabilities.push({
|
|
167
|
+
id: `logic-multiline-${filePath}-${lineNumber}`,
|
|
168
|
+
filePath,
|
|
169
|
+
lineNumber,
|
|
170
|
+
lineContent: lines[lineNumber - 1]?.trim() || 'try {',
|
|
171
|
+
severity: 'medium',
|
|
172
|
+
category: 'security_bypass',
|
|
173
|
+
title: 'Silent error handling',
|
|
174
|
+
description: 'Try-catch block with minimal error handling may hide security issues',
|
|
175
|
+
suggestedFix: 'Log errors appropriately and handle them based on type',
|
|
176
|
+
confidence: 'low',
|
|
177
|
+
layer: 2,
|
|
178
|
+
});
|
|
179
|
+
}
|
|
180
|
+
return vulnerabilities;
|
|
181
|
+
}
|
|
182
|
+
//# sourceMappingURL=logic-gates.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"logic-gates.js","sourceRoot":"","sources":["../../src/layer2/logic-gates.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAgIH,4CA6CC;AAjKD,qCAAqC;AACrC,MAAM,cAAc,GAAmB;IACrC,4BAA4B;IAC5B;QACE,IAAI,EAAE,kCAAkC;QACxC,OAAO,EAAE,oHAAoH;QAC7H,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wDAAwD;QACrE,YAAY,EAAE,mFAAmF;KAClG;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,yEAAyE;QAClF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,2EAA2E;QACxF,YAAY,EAAE,qEAAqE;KACpF;IACD,gBAAgB;IAChB;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sDAAsD;QACnE,YAAY,EAAE,mEAAmE;KAClF;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,8EAA8E;QACvF,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0DAA0D;QACvE,YAAY,EAAE,qDAAqD;KACpE;IACD,2BAA2B;IAC3B;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,iFAAiF;QAC1F,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sCAAsC;QACnD,YAAY,EAAE,gEAAgE;KAC/E;IACD,sBAAsB;IACtB;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,6DAA6D;QACtE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8CAA8C;QAC3D,YAAY,EAAE,sDAAsD;KACrE;IACD,kBAAkB;IAClB;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,oDAAoD;QAC7D,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,qDAAqD;QAClE,YAAY,EAAE,6DAA6D;KAC5E;IACD,qBAAqB;IACrB;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,0CAA0C;KACzD;IACD,6BAA6B;IAC7B;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qCAAqC;QAClD,YAAY,EAAE,oDAAoD;KACnE;IACD;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,2GAA2G;QACpH,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2CAA2C;QACxD,YAAY,EAAE,8DAA8D;KAC7E;IACD,uBAAuB;IACvB;QACE,IAAI,EAAE,qCAAqC;QAC3C,OAAO,EAAE,iFAAiF;QAC1F,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,yEAAyE;KACxF;IACD,mBAAmB;IACnB;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,gEAAgE;KAC/E;IACD,2BAA2B;IAC3B;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,qGAAqG;QAC9G,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,yDAAyD;KACxE;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,SAAgB,gBAAgB,CAC9B,OAAe,EACf,QAAgB;IAEhB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,mCAAmC;IACnC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,6DAA6D;QAC7D,MAAM,kBAAkB,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,CAAA;QAExD,KAAK,MAAM,YAAY,IAAI,cAAc,EAAE,CAAC;YAC1C,uCAAuC;YACvC,IAAI,kBAAkB,IAAI,SAAS,CAAC,IAAI,CAAC;gBACrC,YAAY,CAAC,IAAI,KAAK,sBAAsB,EAAE,CAAC;gBACjD,SAAQ;YACV,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,MAAM,EAAE,YAAY,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAEjF,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,SAAS,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,YAAY,CAAC,IAAI,EAAE;oBACzD,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,YAAY,CAAC,QAAQ;oBAC/B,QAAQ,EAAE,iBAAiB;oBAC3B,KAAK,EAAE,YAAY,CAAC,IAAI;oBACxB,WAAW,EAAE,YAAY,CAAC,WAAW;oBACrC,YAAY,EAAE,YAAY,CAAC,YAAY;oBACvC,UAAU,EAAE,QAAQ;oBACpB,KAAK,EAAE,CAAC;iBACT,CAAC,CAAA;gBACF,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,2DAA2D;IAC3D,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;IACpE,eAAe,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,CAAA;IAE1C,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,2CAA2C;AAC3C,SAAS,uBAAuB,CAAC,OAAe,EAAE,QAAgB;IAChE,MAAM,eAAe,GAAoB,EAAE,CAAA;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,wDAAwD;IACxD,MAAM,eAAe,GAAG,uEAAuE,CAAA;IAC/F,IAAI,KAAK,CAAA;IAET,OAAO,CAAC,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACxD,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAA;QACvE,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,mBAAmB,QAAQ,IAAI,UAAU,EAAE;YAC/C,QAAQ;YACR,UAAU;YACV,WAAW,EAAE,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,OAAO;YACrD,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EAAE,iBAAiB;YAC3B,KAAK,EAAE,uBAAuB;YAC9B,WAAW,EAAE,sEAAsE;YACnF,YAAY,EAAE,wDAAwD;YACtE,UAAU,EAAE,KAAK;YACjB,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Layer 2: Risky Import/Package Analysis
|
|
3
|
+
* Detects imports of packages known to have security concerns or deprecated
|
|
4
|
+
*/
|
|
5
|
+
import type { Vulnerability } from '../types';
|
|
6
|
+
export declare function detectRiskyImports(content: string, filePath: string): Vulnerability[];
|
|
7
|
+
//# sourceMappingURL=risky-imports.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"risky-imports.d.ts","sourceRoot":"","sources":["../../src/layer2/risky-imports.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,UAAU,CAAA;AAkJpE,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,aAAa,EAAE,CA+BjB"}
|