@oculum/scanner 1.0.0

package/dist/layer2/risky-imports.js

@@ -0,0 +1,161 @@
+"use strict";
+/**
+ * Layer 2: Risky Import/Package Analysis
+ * Detects imports of packages known to have security concerns or deprecated
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectRiskyImports = detectRiskyImports;
+const RISKY_PACKAGES = [
+    // Known vulnerable or deprecated packages
+    {
+        name: 'request (deprecated)',
+        pattern: /require\s*\(\s*['"]request['"]\s*\)|from\s+['"]request['"]/gi,
+        severity: 'medium',
+        description: 'The "request" package is deprecated and no longer maintained',
+        suggestedFix: 'Migrate to fetch, axios, or node-fetch',
+    },
+    {
+        name: 'node-uuid (deprecated)',
+        pattern: /require\s*\(\s*['"]node-uuid['"]\s*\)|from\s+['"]node-uuid['"]/gi,
+        severity: 'low',
+        description: 'node-uuid is deprecated in favor of uuid package',
+        suggestedFix: 'Use the "uuid" package instead',
+    },
+    // Packages with known security issues
+    {
+        name: 'lodash (full import)',
+        pattern: /require\s*\(\s*['"]lodash['"]\s*\)|import\s+\*?\s*(?:as\s+)?\w+\s+from\s+['"]lodash['"]/gi,
+        severity: 'low',
+        description: 'Full lodash import increases bundle size and attack surface',
+        suggestedFix: 'Import specific functions: import get from "lodash/get"',
+    },
+    {
+        name: 'moment.js (deprecated)',
+        pattern: /require\s*\(\s*['"]moment['"]\s*\)|from\s+['"]moment['"]/gi,
+        severity: 'low',
+        description: 'Moment.js is in maintenance mode, consider alternatives',
+        suggestedFix: 'Use date-fns, dayjs, or native Intl APIs',
+    },
+    // Security-focused sandbox packages - info only (these are used for security, not risky)
+    {
+        name: 'vm2 (sandbox)',
+        pattern: /require\s*\(\s*['"]vm2['"]\s*\)|from\s+['"]vm2['"]/gi,
+        severity: 'info',
+        description: 'vm2 is a sandboxing library. While it has had sandbox escape vulnerabilities historically, using it is generally safer than running untrusted code directly. Keep vm2 updated.',
+        suggestedFix: 'Keep vm2 updated to the latest version. For maximum isolation, consider isolated-vm or running in a separate process.',
+    },
+    {
+        name: 'serialize-javascript (RCE risk)',
+        pattern: /require\s*\(\s*['"]serialize-javascript['"]\s*\)|from\s+['"]serialize-javascript['"]/gi,
+        severity: 'medium',
+        description: 'serialize-javascript can be dangerous if output is not properly handled',
+        suggestedFix: 'Ensure serialized output is not directly executed or use JSON.stringify',
+    },
+    // Crypto-related risky imports
+    {
+        name: 'crypto-js (outdated patterns)',
+        pattern: /require\s*\(\s*['"]crypto-js['"]\s*\)|from\s+['"]crypto-js['"]/gi,
+        severity: 'low',
+        description: 'crypto-js may use outdated crypto patterns',
+        suggestedFix: 'Prefer Node.js built-in crypto module or Web Crypto API',
+    },
+    {
+        name: 'bcrypt-nodejs (deprecated)',
+        pattern: /require\s*\(\s*['"]bcrypt-nodejs['"]\s*\)|from\s+['"]bcrypt-nodejs['"]/gi,
+        severity: 'medium',
+        description: 'bcrypt-nodejs is deprecated and unmaintained',
+        suggestedFix: 'Use bcrypt or bcryptjs instead',
+    },
+    // SQL/Database risky patterns
+    {
+        name: 'mysql (prefer mysql2)',
+        pattern: /require\s*\(\s*['"]mysql['"]\s*\)|from\s+['"]mysql['"]/gi,
+        severity: 'low',
+        description: 'mysql package is less maintained than mysql2',
+        suggestedFix: 'Consider using mysql2 for better security and performance',
+    },
+    // Python risky imports
+    {
+        name: 'pickle (unsafe deserialization)',
+        pattern: /^import\s+pickle|^from\s+pickle\s+import/gim,
+        severity: 'high',
+        description: 'pickle can execute arbitrary code during deserialization',
+        suggestedFix: 'Use JSON or other safe serialization formats for untrusted data',
+    },
+    {
+        name: 'yaml unsafe load',
+        pattern: /yaml\.load\s*\([^)]*\)(?!.*Loader)/gi,
+        severity: 'high',
+        description: 'yaml.load without Loader parameter can execute arbitrary code',
+        suggestedFix: 'Use yaml.safe_load() or specify Loader=yaml.SafeLoader',
+    },
+    {
+        name: 'subprocess shell=True',
+        pattern: /subprocess\.(call|run|Popen|check_output)\s*\([^)]*shell\s*=\s*True/gi,
+        severity: 'high',
+        description: 'subprocess with shell=True is vulnerable to shell injection',
+        suggestedFix: 'Use shell=False and pass arguments as a list',
+    },
+    // Telemetry/tracking packages (privacy concern)
+    {
+        name: 'Analytics package',
+        pattern: /require\s*\(\s*['"](analytics|segment|mixpanel|amplitude)['"]\s*\)|from\s+['"](analytics|segment|mixpanel|amplitude)['"]/gi,
+        severity: 'low',
+        description: 'Analytics package detected - ensure user consent is obtained',
+        suggestedFix: 'Implement proper consent mechanisms for user tracking',
+    },
+    // Outdated/vulnerable web frameworks
+    {
+        name: 'express-jwt (CVE history)',
+        pattern: /require\s*\(\s*['"]express-jwt['"]\s*\)|from\s+['"]express-jwt['"]/gi,
+        severity: 'medium',
+        description: 'express-jwt has had security vulnerabilities - ensure latest version',
+        suggestedFix: 'Update to latest version and consider jose or jsonwebtoken directly',
+    },
+    // Dangerous native modules
+    {
+        name: 'node-gyp native module',
+        pattern: /require\s*\(\s*['"]node-gyp['"]\s*\)|from\s+['"]node-gyp['"]/gi,
+        severity: 'low',
+        description: 'Native modules can introduce platform-specific vulnerabilities',
+        suggestedFix: 'Audit native dependencies and keep them updated',
+    },
+];
+// Check if line is a comment
+function isComment(line) {
+    const trimmed = line.trim();
+    return (trimmed.startsWith('//') ||
+        trimmed.startsWith('#') ||
+        trimmed.startsWith('*') ||
+        trimmed.startsWith('/*'));
+}
+function detectRiskyImports(content, filePath) {
+    const vulnerabilities = [];
+    const lines = content.split('\n');
+    lines.forEach((line, index) => {
+        // Skip comment lines
+        if (isComment(line))
+            return;
+        for (const pkg of RISKY_PACKAGES) {
+            const regex = new RegExp(pkg.pattern.source, pkg.pattern.flags);
+            if (regex.test(line)) {
+                vulnerabilities.push({
+                    id: `risky-import-${filePath}-${index + 1}-${pkg.name}`,
+                    filePath,
+                    lineNumber: index + 1,
+                    lineContent: line.trim(),
+                    severity: pkg.severity,
+                    category: 'suspicious_package',
+                    title: `Risky package: ${pkg.name}`,
+                    description: pkg.description,
+                    suggestedFix: pkg.suggestedFix,
+                    confidence: 'high',
+                    layer: 2,
+                });
+                break; // Only report once per line
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=risky-imports.js.map

package/dist/layer2/risky-imports.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"risky-imports.js","sourceRoot":"","sources":["../../src/layer2/risky-imports.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAoJH,gDAkCC;AA1KD,MAAM,cAAc,GAAmB;IACrC,0CAA0C;IAC1C;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,wCAAwC;KACvD;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,kEAAkE;QAC3E,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,kDAAkD;QAC/D,YAAY,EAAE,gCAAgC;KAC/C;IAED,sCAAsC;IACtC;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,2FAA2F;QACpG,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE,yDAAyD;KACxE;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,4DAA4D;QACrE,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,yDAAyD;QACtE,YAAY,EAAE,0CAA0C;KACzD;IAED,yFAAyF;IACzF;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,sDAAsD;QAC/D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,gLAAgL;QAC7L,YAAY,EAAE,uHAAuH;KACtI;IACD;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,wFAAwF;QACjG,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,yEAAyE;QACtF,YAAY,EAAE,yEAAyE;KACxF;IAED,+BAA+B;IAC/B;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,kEAAkE;QAC3E,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,yDAAyD;KACxE;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,0EAA0E;QACnF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,8CAA8C;QAC3D,YAAY,EAAE,gCAAgC;KAC/C;IAED,8BAA8B;IAC9B;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,0DAA0D;QACnE,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,8CAA8C;QAC3D,YAAY,EAAE,2DAA2D;KAC1E;IAED,uBAAuB;IACvB;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0DAA0D;QACvE,YAAY,EAAE,iEAAiE;KAChF;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,+DAA+D;QAC5E,YAAY,EAAE,wDAAwD;KACvE;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE,8CAA8C;KAC7D;IAED,gDAAgD;IAChD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,4HAA4H;QACrI,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,uDAAuD;KACtE;IAED,qCAAqC;IACrC;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,sEAAsE;QAC/E,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sEAAsE;QACnF,YAAY,EAAE,qEAAqE;KACpF;IAED,2BAA2B;IAC3B;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,gEAAgE;QAC7E,YAAY,EAAE,iDAAiD;KAChE;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB;IAEhB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,qBAAqB;QACrB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAE/D,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,gBAAgB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,EAAE;oBACvD,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,QAAQ,EAAE,oBAAoB;oBAC9B,KAAK,EAAE,kBAAkB,GAAG,CAAC,IAAI,EAAE;oBACnC,WAAW,EAAE,GAAG,CAAC,WAAW;oBAC5B,YAAY,EAAE,GAAG,CAAC,YAAY;oBAC9B,UAAU,EAAE,MAAM;oBAClB,KAAK,EAAE,CAAC;iBACT,CAAC,CAAA;gBACF,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/layer2/variables.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Layer 2: Variable Heuristics
+ * Identifies variable names associated with sensitive data
+ */
+import type { Vulnerability, SensitiveVariablePattern } from '../types';
+export declare const SENSITIVE_VARIABLE_PATTERNS: SensitiveVariablePattern[];
+export declare function detectSensitiveVariables(content: string, filePath: string): Vulnerability[];
+//# sourceMappingURL=variables.d.ts.map

package/dist/layer2/variables.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"variables.d.ts","sourceRoot":"","sources":["../../src/layer2/variables.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAA;AAGvE,eAAO,MAAM,2BAA2B,EAAE,wBAAwB,EA0DjE,CAAA;AAqDD,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,aAAa,EAAE,CA2CjB"}

package/dist/layer2/variables.js

@@ -0,0 +1,152 @@
+"use strict";
+/**
+ * Layer 2: Variable Heuristics
+ * Identifies variable names associated with sensitive data
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SENSITIVE_VARIABLE_PATTERNS = void 0;
+exports.detectSensitiveVariables = detectSensitiveVariables;
+// Patterns for sensitive variable names
+exports.SENSITIVE_VARIABLE_PATTERNS = [
+    // Password-related
+    {
+        pattern: /\b(password|passwd|pwd|pass)\s*[=:]/gi,
+        severity: 'high',
+        description: 'Variable name suggests password storage',
+    },
+    {
+        pattern: /\b(user_?password|admin_?password|db_?password|database_?password)\s*[=:]/gi,
+        severity: 'critical',
+        description: 'Variable name suggests database/admin password',
+    },
+    // Token-related
+    {
+        pattern: /\b(auth_?token|access_?token|refresh_?token|bearer_?token)\s*[=:]/gi,
+        severity: 'high',
+        description: 'Variable name suggests authentication token',
+    },
+    {
+        pattern: /\b(api_?token|api_?key|apikey)\s*[=:]/gi,
+        severity: 'high',
+        description: 'Variable name suggests API key/token',
+    },
+    // Secret-related
+    {
+        pattern: /\b(secret|secret_?key|private_?key|signing_?key)\s*[=:]/gi,
+        severity: 'high',
+        description: 'Variable name suggests secret/private key',
+    },
+    {
+        pattern: /\b(client_?secret|app_?secret|jwt_?secret)\s*[=:]/gi,
+        severity: 'critical',
+        description: 'Variable name suggests application secret',
+    },
+    // Credential-related
+    {
+        pattern: /\b(credential|credentials|creds)\s*[=:]/gi,
+        severity: 'high',
+        description: 'Variable name suggests credentials',
+    },
+    // Connection strings
+    {
+        pattern: /\b(connection_?string|conn_?string|database_?url|db_?url)\s*[=:]/gi,
+        severity: 'high',
+        description: 'Variable name suggests database connection string',
+    },
+    // Encryption keys
+    {
+        pattern: /\b(encryption_?key|decrypt_?key|cipher_?key|aes_?key)\s*[=:]/gi,
+        severity: 'critical',
+        description: 'Variable name suggests encryption key',
+    },
+    // SSH/Certificate
+    {
+        pattern: /\b(ssh_?key|private_?key|cert_?key|ssl_?key)\s*[=:]/gi,
+        severity: 'critical',
+        description: 'Variable name suggests SSH/SSL key',
+    },
+];
+// Check if the value looks like a placeholder or env var reference
+function isPlaceholderOrEnvRef(line) {
+    const safePatterns = [
+        /[=:]\s*['"]?\s*$/, // Empty value
+        /[=:]\s*['"]?xxx/i, // xxx placeholder
+        /[=:]\s*['"]?your[-_]/i, // your-xxx placeholder
+        /[=:]\s*['"]?<[^>]+>/, // <placeholder>
+        /[=:]\s*['"]?\$\{/, // ${VAR} template
+        /[=:]\s*['"]?process\.env/, // process.env reference
+        /[=:]\s*['"]?env\(/, // env() function
+        /[=:]\s*['"]?getenv/i, // getenv function
+        /[=:]\s*['"]?os\.environ/, // Python os.environ
+        /[=:]\s*['"]?ENV\[/, // Ruby ENV
+        /[=:]\s*null\b/i, // null value
+        /[=:]\s*undefined\b/, // undefined value
+        /[=:]\s*None\b/, // Python None
+        /[=:]\s*['"]?TODO/i, // TODO placeholder
+        /[=:]\s*['"]?CHANGEME/i, // CHANGEME placeholder
+        /[=:]\s*['"]?REPLACE/i, // REPLACE placeholder
+        /\?\s*.*\s*:\s*/, // Ternary operator (conditional assignment)
+        /\|\|/, // OR fallback (e.g., ENV_VAR || '')
+        /\?\?/, // Nullish coalescing
+        /[A-Z_]{3,}_(?:KEY|TOKEN|SECRET)/, // References to env var constants
+    ];
+    return safePatterns.some(pattern => pattern.test(line));
+}
+// Check if line is a comment
+function isComment(line) {
+    const trimmed = line.trim();
+    return (trimmed.startsWith('//') ||
+        trimmed.startsWith('#') ||
+        trimmed.startsWith('*') ||
+        trimmed.startsWith('/*') ||
+        trimmed.startsWith('"""') ||
+        trimmed.startsWith("'''") ||
+        trimmed.startsWith('<!--'));
+}
+// Check if it's a type definition or interface
+function isTypeDefinition(line) {
+    return (/^\s*(type|interface|class)\s/.test(line) ||
+        /:\s*(string|number|boolean|any)\s*[;,}]/.test(line) ||
+        /\?\s*:\s*\w+/.test(line));
+}
+function detectSensitiveVariables(content, filePath) {
+    const vulnerabilities = [];
+    const lines = content.split('\n');
+    lines.forEach((line, index) => {
+        // Skip comments
+        if (isComment(line))
+            return;
+        // Skip type definitions
+        if (isTypeDefinition(line))
+            return;
+        // Skip if it's a placeholder/env reference
+        if (isPlaceholderOrEnvRef(line))
+            return;
+        for (const pattern of exports.SENSITIVE_VARIABLE_PATTERNS) {
+            const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+            if (regex.test(line)) {
+                // Extract the actual value to check if it's hardcoded
+                const valueMatch = line.match(/[=:]\s*['"]([^'"]+)['"]/i);
+                if (valueMatch && valueMatch[1].length > 3) {
+                    // Has a non-trivial hardcoded value
+                    vulnerabilities.push({
+                        id: `var-${filePath}-${index + 1}`,
+                        filePath,
+                        lineNumber: index + 1,
+                        lineContent: line.trim(),
+                        severity: pattern.severity,
+                        category: 'sensitive_variable',
+                        title: 'Sensitive variable with hardcoded value',
+                        description: pattern.description + '. The value appears to be hardcoded rather than loaded from environment.',
+                        suggestedFix: 'Move this sensitive value to an environment variable or secure secrets manager.',
+                        confidence: 'medium',
+                        layer: 2,
+                    });
+                }
+                break; // Only report once per line
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=variables.js.map

package/dist/layer2/variables.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"variables.js","sourceRoot":"","sources":["../../src/layer2/variables.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAoHH,4DA8CC;AA9JD,wCAAwC;AAC3B,QAAA,2BAA2B,GAA+B;IACrE,mBAAmB;IACnB;QACE,OAAO,EAAE,uCAAuC;QAChD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yCAAyC;KACvD;IACD;QACE,OAAO,EAAE,6EAA6E;QACtF,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gDAAgD;KAC9D;IACD,gBAAgB;IAChB;QACE,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6CAA6C;KAC3D;IACD;QACE,OAAO,EAAE,yCAAyC;QAClD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sCAAsC;KACpD;IACD,iBAAiB;IACjB;QACE,OAAO,EAAE,2DAA2D;QACpE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,OAAO,EAAE,qDAAqD;QAC9D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2CAA2C;KACzD;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,oCAAoC;KAClD;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,oEAAoE;QAC7E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,mDAAmD;KACjE;IACD,kBAAkB;IAClB;QACE,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uCAAuC;KACrD;IACD,kBAAkB;IAClB;QACE,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,oCAAoC;KAClD;CACF,CAAA;AAED,mEAAmE;AACnE,SAAS,qBAAqB,CAAC,IAAY;IACzC,MAAM,YAAY,GAAG;QACnB,kBAAkB,EAAqB,cAAc;QACrD,kBAAkB,EAAqB,kBAAkB;QACzD,uBAAuB,EAAgB,uBAAuB;QAC9D,qBAAqB,EAAkB,gBAAgB;QACvD,kBAAkB,EAAqB,kBAAkB;QACzD,0BAA0B,EAAa,wBAAwB;QAC/D,mBAAmB,EAAoB,iBAAiB;QACxD,qBAAqB,EAAkB,kBAAkB;QACzD,yBAAyB,EAAc,oBAAoB;QAC3D,mBAAmB,EAAoB,WAAW;QAClD,gBAAgB,EAAuB,aAAa;QACpD,oBAAoB,EAAmB,kBAAkB;QACzD,eAAe,EAAwB,cAAc;QACrD,mBAAmB,EAAoB,mBAAmB;QAC1D,uBAAuB,EAAgB,uBAAuB;QAC9D,sBAAsB,EAAiB,sBAAsB;QAC7D,gBAAgB,EAAuB,4CAA4C;QACnF,MAAM,EAAiC,oCAAoC;QAC3E,MAAM,EAAiC,qBAAqB;QAC5D,iCAAiC,EAAM,kCAAkC;KAC1E,CAAA;IAED,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;AACzD,CAAC;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC;QACzB,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC;QACzB,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAC3B,CAAA;AACH,CAAC;AAED,+CAA+C;AAC/C,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,CACL,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC;QACzC,yCAAyC,CAAC,IAAI,CAAC,IAAI,CAAC;QACpD,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAC1B,CAAA;AACH,CAAC;AAED,SAAgB,wBAAwB,CACtC,OAAe,EACf,QAAgB;IAEhB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,gBAAgB;QAChB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,wBAAwB;QACxB,IAAI,gBAAgB,CAAC,IAAI,CAAC;YAAE,OAAM;QAElC,2CAA2C;QAC3C,IAAI,qBAAqB,CAAC,IAAI,CAAC;YAAE,OAAM;QAEvC,KAAK,MAAM,OAAO,IAAI,mCAA2B,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAEvE,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,sDAAsD;gBACtD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAA;gBAEzD,IAAI,UAAU,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3C,oCAAoC;oBACpC,eAAe,CAAC,IAAI,CAAC;wBACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,KAAK,GAAG,CAAC,EAAE;wBAClC,QAAQ;wBACR,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,QAAQ,EAAE,oBAAoB;wBAC9B,KAAK,EAAE,yCAAyC;wBAChD,WAAW,EAAE,OAAO,CAAC,WAAW,GAAG,0EAA0E;wBAC7G,YAAY,EAAE,iFAAiF;wBAC/F,UAAU,EAAE,QAAQ;wBACpB,KAAK,EAAE,CAAC;qBACT,CAAC,CAAA;gBACJ,CAAC;gBACD,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/layer3/anthropic.d.ts

@@ -0,0 +1,83 @@
+/**
+ * Layer 3: AI Semantic Analysis
+ * Uses Claude to perform deep security analysis including:
+ * - Taint analysis (data flow from sources to sinks)
+ * - Business logic flaw detection
+ * - Missing authorization checks
+ * - Cryptography validation
+ * - Data exposure detection
+ * - Framework-specific deep analysis
+ */
+import type { Vulnerability, ScanFile } from '../types';
+import { type ProjectContext } from '../utils/project-context-builder';
+export interface ValidationStats {
+    /** Total findings processed (input) */
+    totalFindings: number;
+    /** Findings that went through AI validation */
+    validatedFindings: number;
+    /** Findings confirmed as true positives */
+    confirmedFindings: number;
+    /** Findings dismissed as false positives */
+    dismissedFindings: number;
+    /** Findings with severity adjusted down */
+    downgradedFindings: number;
+    /** Findings auto-dismissed before AI (test files, etc.) */
+    autoDismissedFindings: number;
+    /** Estimated input tokens used */
+    estimatedInputTokens: number;
+    /** Estimated output tokens used */
+    estimatedOutputTokens: number;
+    /** Estimated cost in USD (based on Haiku pricing) */
+    estimatedCost: number;
+    /** Number of API calls made */
+    apiCalls: number;
+    /** Cache creation tokens (first write to cache) */
+    cacheCreationTokens: number;
+    /** Cache read tokens (subsequent reads from cache) */
+    cacheReadTokens: number;
+    /** Cache hit rate (0-1) */
+    cacheHitRate: number;
+}
+export interface AIValidationResult {
+    vulnerabilities: Vulnerability[];
+    stats: ValidationStats;
+}
+/**
+ * Apply smart auto-dismiss rules to filter obvious false positives
+ * Returns findings that should be sent to AI validation
+ */
+export declare function applyAutoDismissRules(findings: Vulnerability[]): {
+    toValidate: Vulnerability[];
+    dismissed: Array<{
+        finding: Vulnerability;
+        rule: string;
+        reason: string;
+    }>;
+};
+export interface Layer3Context {
+    /** Middleware configuration from project scan */
+    middlewareConfig?: {
+        hasAuthMiddleware: boolean;
+        authType?: string;
+        protectedPaths: string[];
+    };
+    /** Auth helper context */
+    authHelpers?: {
+        hasThrowingHelpers: boolean;
+        summary: string;
+    };
+    /** Additional context string */
+    additionalContext?: string;
+}
+export declare function analyzeWithAI(file: ScanFile, context?: Layer3Context): Promise<Vulnerability[]>;
+export declare function batchAnalyzeWithAI(files: ScanFile[], context?: Layer3Context, maxConcurrent?: number): Promise<Vulnerability[]>;
+/**
+ * Validate Layer 1/2 findings using AI with HIGH-CONTEXT validation
+ *
+ * Key improvements over previous version:
+ * 1. Sends FULL FILE CONTENT (not just snippets) for better context
+ * 2. Includes PROJECT CONTEXT (auth patterns, data access, etc.)
+ * 3. Uses generalised rules from Section 3 of the security model
+ */
+export declare function validateFindingsWithAI(findings: Vulnerability[], files: ScanFile[], projectContext?: ProjectContext): Promise<AIValidationResult>;
+//# sourceMappingURL=anthropic.d.ts.map

package/dist/layer3/anthropic.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"anthropic.d.ts","sourceRoot":"","sources":["../../src/layer3/anthropic.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,KAAK,EAAE,aAAa,EAAgD,QAAQ,EAAoB,MAAM,UAAU,CAAA;AASvH,OAAO,EAAiD,KAAK,cAAc,EAAE,MAAM,kCAAkC,CAAA;AAQrH,MAAM,WAAW,eAAe;IAC9B,uCAAuC;IACvC,aAAa,EAAE,MAAM,CAAA;IACrB,+CAA+C;IAC/C,iBAAiB,EAAE,MAAM,CAAA;IACzB,2CAA2C;IAC3C,iBAAiB,EAAE,MAAM,CAAA;IACzB,4CAA4C;IAC5C,iBAAiB,EAAE,MAAM,CAAA;IACzB,2CAA2C;IAC3C,kBAAkB,EAAE,MAAM,CAAA;IAC1B,2DAA2D;IAC3D,qBAAqB,EAAE,MAAM,CAAA;IAC7B,kCAAkC;IAClC,oBAAoB,EAAE,MAAM,CAAA;IAC5B,mCAAmC;IACnC,qBAAqB,EAAE,MAAM,CAAA;IAC7B,qDAAqD;IACrD,aAAa,EAAE,MAAM,CAAA;IACrB,+BAA+B;IAC/B,QAAQ,EAAE,MAAM,CAAA;IAChB,mDAAmD;IACnD,mBAAmB,EAAE,MAAM,CAAA;IAC3B,sDAAsD;IACtD,eAAe,EAAE,MAAM,CAAA;IACvB,2BAA2B;IAC3B,YAAY,EAAE,MAAM,CAAA;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,eAAe,EAAE,aAAa,EAAE,CAAA;IAChC,KAAK,EAAE,eAAe,CAAA;CACvB;AAyLD;;;GAGG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,aAAa,EAAE,GAAG;IAChE,UAAU,EAAE,aAAa,EAAE,CAAA;IAC3B,SAAS,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,aAAa,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAC3E,CAyBA;AAyID,MAAM,WAAW,aAAa;IAC5B,iDAAiD;IACjD,gBAAgB,CAAC,EAAE;QACjB,iBAAiB,EAAE,OAAO,CAAA;QAC1B,QAAQ,CAAC,EAAE,MAAM,CAAA;QACjB,cAAc,EAAE,MAAM,EAAE,CAAA;KACzB,CAAA;IACD,0BAA0B;IAC1B,WAAW,CAAC,EAAE;QACZ,kBAAkB,EAAE,OAAO,CAAA;QAC3B,OAAO,EAAE,MAAM,CAAA;KAChB,CAAA;IACD,gCAAgC;IAChC,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAC3B;AAoCD,wBAAsB,aAAa,CACjC,IAAI,EAAE,QAAQ,EACd,OAAO,CAAC,EAAE,aAAa,GACtB,OAAO,CAAC,aAAa,EAAE,CAAC,CA+D1B;AAiED,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,QAAQ,EAAE,EACjB,OAAO,CAAC,EAAE,aAAa,EACvB,aAAa,GAAE,MAAU,GACxB,OAAO,CAAC,aAAa,EAAE,CAAC,CAqB1B;AAgrBD;;;;;;;GAOG;AACH,wBAAsB,sBAAsB,CAC1C,QAAQ,EAAE,aAAa,EAAE,EACzB,KAAK,EAAE,QAAQ,EAAE,EACjB,cAAc,CAAC,EAAE,cAAc,GAC9B,OAAO,CAAC,kBAAkB,CAAC,CAoT7B"}