npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/package.json ADDED Viewed

@@ -0,0 +1,45 @@
+{
+  "name": "@oculum/scanner",
+  "version": "1.0.0",
+  "description": "AI-native security scanner for detecting vulnerabilities in LLM-generated code",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.js"
+    },
+    "./formatters": {
+      "types": "./dist/formatters/index.d.ts",
+      "import": "./dist/formatters/index.js",
+      "require": "./dist/formatters/index.js"
+    },
+    "./types": {
+      "types": "./dist/types.d.ts",
+      "import": "./dist/types.js",
+      "require": "./dist/types.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "echo \"No tests configured yet\"",
+    "lint": "eslint src/"
+  },
+  "dependencies": {
+    "@anthropic-ai/sdk": "^0.71.2",
+    "openai": "^6.16.0"
+  },
+  "devDependencies": {
+    "@types/jest": "^30.0.0",
+    "@types/node": "^20",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.4.6",
+    "typescript": "^5"
+  },
+  "files": [
+    "dist",
+    "src"
+  ]
+}

package/src/__tests__/benchmark/fixtures/false-positives.ts ADDED Viewed

@@ -0,0 +1,227 @@
+/**
+ * False Positive Test Fixtures
+ * Files that should NOT generate high-severity findings
+ */
+import type { TestFixture } from '../types'
+/**
+ * Test/Mock files should be ignored
+ */
+export const testFileFixture: TestFixture = {
+  name: 'Test File - Should Not Flag',
+  expectFindings: false,
+  description: 'Test files with mock data should not generate high-severity findings',
+  file: {
+    path: 'src/__tests__/auth.test.ts',
+    content: `
+// Test file - all these should be SAFE
+const TEST_API_KEY = "sk-test-12345"
+const MOCK_SECRET = "mock-secret-for-testing"
+describe('Authentication', () => {
+  it('should authenticate with valid key', async () => {
+    const result = await authenticate(TEST_API_KEY)
+    expect(result).toBeTruthy()
+  })
+  it('should reject eval for testing', () => {
+    // Testing eval handling
+    expect(() => eval('1+1')).not.toThrow()
+  })
+})
+`,
+    language: 'typescript',
+    size: 400,
+  },
+}
+/**
+ * Example/documentation files should be ignored
+ */
+export const exampleFileFixture: TestFixture = {
+  name: 'Example File - Should Not Flag',
+  expectFindings: false,
+  description: 'Example files with placeholder values should not be flagged',
+  file: {
+    path: 'examples/getting-started.ts',
+    content: `
+// Example file - all these should be SAFE
+const EXAMPLE_API_KEY = "your-api-key-here"
+const SAMPLE_SECRET = "replace-with-your-secret"
+// Example usage
+const client = new Client({
+  apiKey: EXAMPLE_API_KEY
+})
+// Example SQL (for documentation)
+const exampleQuery = "SELECT * FROM users WHERE id = '" + userId + "'"
+`,
+    language: 'typescript',
+    size: 300,
+  },
+}
+/**
+ * Configuration files with env vars should be mostly safe
+ */
+export const configFileFixture: TestFixture = {
+  name: 'Config File - Should Not Flag',
+  expectFindings: false,
+  description: 'Config files using environment variables should be safe',
+  file: {
+    path: 'src/config/index.ts',
+    content: `
+// All from environment - SAFE
+export const config = {
+  database: {
+    url: process.env.DATABASE_URL!,
+    poolSize: parseInt(process.env.DB_POOL_SIZE || '10'),
+  },
+  auth: {
+    secret: process.env.JWT_SECRET!,
+    expiresIn: process.env.JWT_EXPIRES_IN || '7d',
+  },
+  api: {
+    openaiKey: process.env.OPENAI_API_KEY!,
+    anthropicKey: process.env.ANTHROPIC_API_KEY!,
+  },
+}
+// Type checking
+if (!config.database.url) {
+  throw new Error('DATABASE_URL is required')
+}
+`,
+    language: 'typescript',
+    size: 500,
+  },
+}
+/**
+ * Middleware file that protects routes
+ */
+export const middlewareFileFixture: TestFixture = {
+  name: 'Middleware - Should Detect Auth',
+  expectFindings: false,
+  description: 'Middleware files should not generate auth warnings',
+  file: {
+    path: 'middleware.ts',
+    content: `
+import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server'
+const isPublicRoute = createRouteMatcher([
+  '/sign-in(.*)',
+  '/sign-up(.*)',
+  '/api/webhook(.*)',
+  '/',
+])
+export default clerkMiddleware((auth, request) => {
+  if (!isPublicRoute(request)) {
+    auth().protect()
+  }
+})
+export const config = {
+  matcher: ['/((?!.+\\.[\\w]+$|_next).*)', '/', '/(api|trpc)(.*)'],
+}
+`,
+    language: 'typescript',
+    size: 400,
+  },
+}
+/**
+ * Routes under /api should NOT be flagged (protected by middleware)
+ */
+export const protectedApiRouteFixture: TestFixture = {
+  name: 'Protected Route - Should Not Flag Missing Auth',
+  expectFindings: false,
+  description: 'Routes protected by middleware should not be flagged for missing auth',
+  file: {
+    path: 'app/api/user/settings/route.ts',
+    content: `
+import { NextResponse } from 'next/server'
+import { db } from '@/lib/db'
+import { getCurrentUserId } from '@/lib/auth'
+// Protected by Clerk middleware - Should NOT flag as missing auth
+export async function GET() {
+  const userId = await getCurrentUserId()  // Throws if not authenticated
+  const settings = await db.settings.findUnique({
+    where: { userId }
+  })
+  return NextResponse.json(settings)
+}
+export async function PUT(request: Request) {
+  const userId = await getCurrentUserId()
+  const body = await request.json()
+  await db.settings.update({
+    where: { userId },
+    data: body
+  })
+  return NextResponse.json({ success: true })
+}
+`,
+    language: 'typescript',
+    size: 600,
+  },
+}
+/**
+ * Documentation/README files
+ */
+export const documentationFixture: TestFixture = {
+  name: 'Documentation - Should Not Flag',
+  expectFindings: false,
+  description: 'Documentation files should not be flagged',
+  file: {
+    path: 'docs/API_GUIDE.md',
+    content: `
+# API Guide
+## Authentication
+To authenticate, you need an API key:
+\`\`\`typescript
+const client = new Client({
+  apiKey: "sk-your-api-key-here"
+})
+\`\`\`
+## Example Query
+\`\`\`sql
+SELECT * FROM users WHERE id = 'user_123'
+\`\`\`
+## Configuration
+Set these environment variables:
+- \`API_KEY=your-api-key\`
+- \`DATABASE_URL=postgresql://localhost/mydb\`
+`,
+    language: 'markdown',
+    size: 400,
+  },
+}
+/**
+ * All false positive fixtures
+ */
+export const falsePositiveFixtures: TestFixture[] = [
+  testFileFixture,
+  exampleFileFixture,
+  configFileFixture,
+  middlewareFileFixture,
+  protectedApiRouteFixture,
+  documentationFixture,
+]

package/src/__tests__/benchmark/fixtures/index.ts ADDED Viewed

@@ -0,0 +1,68 @@
+/**
+ * Main Fixtures Index
+ * Exports all test fixtures for the security benchmark suite
+ */
+// Layer 1 fixtures
+export * from './layer1'
+export { layer1TestGroups, highEntropyTests } from './layer1'
+// Layer 2 fixtures
+export * from './layer2'
+export { layer2TestGroups } from './layer2'
+// False positive fixtures
+export { falsePositiveFixtures } from './false-positives'
+export {
+  testFileFixture,
+  exampleFileFixture,
+  configFileFixture,
+  middlewareFileFixture,
+  protectedApiRouteFixture,
+  documentationFixture,
+} from './false-positives'
+import type { TestGroup, TestFixture } from '../types'
+import { layer1TestGroups, highEntropyTests } from './layer1'
+import { layer2TestGroups } from './layer2'
+import { falsePositiveFixtures } from './false-positives'
+/**
+ * All test groups organized by layer and tier
+ */
+export const allTestGroups: TestGroup[] = [
+  ...layer1TestGroups,
+  highEntropyTests,
+  ...layer2TestGroups,
+]
+/**
+ * Get all true positive fixtures
+ */
+export function getAllTruePositives(): TestFixture[] {
+  return allTestGroups.flatMap(group => group.truePositives)
+}
+/**
+ * Get all false negative fixtures
+ */
+export function getAllFalseNegatives(): TestFixture[] {
+  return [
+    ...allTestGroups.flatMap(group => group.falseNegatives),
+    ...falsePositiveFixtures,
+  ]
+}
+/**
+ * Get test groups by layer
+ */
+export function getTestGroupsByLayer(layer: 1 | 2): TestGroup[] {
+  return allTestGroups.filter(group => group.layer === layer)
+}
+/**
+ * Get test groups by tier
+ */
+export function getTestGroupsByTier(tier: 'A' | 'B' | 'C'): TestGroup[] {
+  return allTestGroups.filter(group => group.tier === tier)
+}

package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts ADDED Viewed

@@ -0,0 +1,364 @@
+/**
+ * Configuration Audit Test Fixtures
+ * Tests for detecting security misconfigurations in config files
+ */
+import type { TestGroup } from '../../types'
+export const configAuditTests: TestGroup = {
+  name: 'Configuration Auditing',
+  tier: 'B',
+  layer: 1,
+  description: 'Detection of security misconfigurations in Dockerfile, CORS, Next.js, and package.json',
+  truePositives: [
+    {
+      name: 'Dockerfile Security Issues',
+      expectFindings: true,
+      expectedCategories: ['insecure_config'],
+      description: 'Dockerfile misconfigurations that MUST be detected',
+      file: {
+        path: 'Dockerfile',
+        content: `
+FROM node:18-alpine
+WORKDIR /app
+COPY package*.json ./
+RUN npm install
+COPY . .
+# Explicitly running as root - HIGH
+USER root
+# Hardcoded secrets in build args - CRITICAL
+ARG DATABASE_PASSWORD=supersecret123
+ARG API_SECRET_KEY=sk-live-abc123
+ENV JWT_SECRET=my-jwt-signing-key
+ENV DB_PASSWORD=production-db-pass
+EXPOSE 3000
+CMD ["npm", "start"]
+`,
+        language: 'dockerfile',
+        size: 350,
+      },
+    },
+    {
+      name: 'Permissive CORS Configuration',
+      expectFindings: true,
+      expectedCategories: ['insecure_config'],
+      description: 'Wildcard CORS that MUST be detected',
+      file: {
+        path: 'src/server/cors.ts',
+        content: `
+import express from 'express'
+import cors from 'cors'
+const app = express()
+// Permissive CORS - MEDIUM
+app.use(cors({
+  origin: '*',
+  credentials: true,
+}))
+// Another pattern - MEDIUM
+const headers = {
+  'Access-Control-Allow-Origin': '*',
+  'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE',
+}
+// Config object pattern - MEDIUM
+const corsConfig = {
+  allowedOrigins: ['*'],
+  origin: '*',
+}
+// In response header
+res.setHeader('Access-Control-Allow-Origin', '*')
+`,
+        language: 'typescript',
+        size: 450,
+      },
+    },
+    {
+      name: 'Next.js Security Config',
+      expectFindings: true,
+      expectedCategories: ['insecure_config'],
+      description: 'Next.js security misconfigurations that MUST be detected',
+      file: {
+        path: 'next.config.js',
+        content: `
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  // Exposing X-Powered-By header - LOW
+  poweredByHeader: true,
+  // Exposing source maps in production - MEDIUM
+  productionBrowserSourceMaps: true,
+  // Other config
+  reactStrictMode: true,
+  images: {
+    domains: ['cdn.example.com'],
+  },
+}
+module.exports = nextConfig
+`,
+        language: 'javascript',
+        size: 300,
+      },
+    },
+    {
+      name: 'Package.json Security Issues',
+      expectFindings: true,
+      expectedCategories: ['insecure_config'],
+      description: 'Package.json security issues that MUST be detected',
+      file: {
+        path: 'package.json',
+        content: `{
+  "name": "my-app",
+  "version": "1.0.0",
+  "scripts": {
+    "start": "node index.js",
+    "postinstall": "node scripts/setup.js",
+    "preinstall": "node scripts/verify.js"
+  },
+  "dependencies": {
+    "express": "*",
+    "lodash": "latest",
+    "axios": "^1.0.0"
+  },
+  "devDependencies": {
+    "jest": "*"
+  }
+}`,
+        language: 'json',
+        size: 350,
+      },
+    },
+    {
+      name: 'Dockerfile Without USER',
+      expectFindings: true,
+      expectedCategories: ['insecure_config'],
+      description: 'Dockerfile without USER instruction runs as root by default',
+      file: {
+        path: 'services/api/Dockerfile',
+        content: `
+FROM python:3.11-slim
+WORKDIR /app
+COPY requirements.txt .
+RUN pip install -r requirements.txt
+COPY . .
+EXPOSE 8000
+# No USER instruction - runs as root by default - MEDIUM
+CMD ["python", "app.py"]
+`,
+        language: 'dockerfile',
+        size: 200,
+      },
+    },
+  ],
+  falseNegatives: [
+    {
+      name: 'Safe Dockerfile Configuration',
+      expectFindings: false,
+      description: 'Properly configured Dockerfile that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'insecure_config',
+          maxCount: 1,
+          reason: 'Some patterns may generate low-severity findings',
+        },
+      ],
+      file: {
+        path: 'Dockerfile',
+        content: `
+FROM node:18-alpine
+WORKDIR /app
+COPY package*.json ./
+RUN npm install --production
+COPY . .
+# Running as non-root user - SAFE
+USER node
+# Secrets from build args without defaults - SAFE
+ARG DATABASE_URL
+ENV DATABASE_URL=\${DATABASE_URL}
+EXPOSE 3000
+CMD ["npm", "start"]
+`,
+        language: 'dockerfile',
+        size: 250,
+      },
+    },
+    {
+      name: 'Safe Docker Compose',
+      expectFindings: false,
+      description: 'Docker Compose with secrets from env vars should NOT be flagged',
+      file: {
+        path: 'docker-compose.yml',
+        content: `
+version: '3.8'
+services:
+  app:
+    build: .
+    ports:
+      - "3000:3000"
+    environment:
+      # Secrets from environment variables - SAFE
+      DATABASE_PASSWORD: \${DATABASE_PASSWORD}
+      API_KEY: \${API_KEY}
+      JWT_SECRET: \${JWT_SECRET}
+    env_file:
+      - .env
+  db:
+    image: postgres:15
+    environment:
+      POSTGRES_PASSWORD: \${POSTGRES_PASSWORD}
+`,
+        language: 'yaml',
+        size: 350,
+      },
+    },
+    {
+      name: 'Safe CORS Configuration',
+      expectFindings: false,
+      description: 'Properly configured CORS should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'insecure_config',
+          maxCount: 1,
+          reason: 'CORS patterns may generate low-severity findings',
+        },
+        {
+          category: 'sensitive_url',
+          maxCount: 2,
+          reason: 'URLs in CORS config may trigger URL detection',
+        },
+        {
+          category: 'ai_pattern',
+          maxCount: 1,
+          reason: 'Function-based patterns may trigger AI detection',
+        },
+      ],
+      file: {
+        path: 'src/config/cors-config.ts',
+        content: `
+// Environment-based CORS configuration - SAFE
+export const corsConfig = {
+  origin: process.env.ALLOWED_ORIGINS?.split(','),
+  credentials: true,
+}
+`,
+        language: 'typescript',
+        size: 100,
+      },
+    },
+    {
+      name: 'Safe Next.js Config',
+      expectFindings: false,
+      description: 'Secure Next.js configuration should NOT be flagged',
+      file: {
+        path: 'next.config.js',
+        content: `
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  // Disabled header - SAFE (or omitted entirely)
+  poweredByHeader: false,
+  // Source maps disabled - SAFE
+  productionBrowserSourceMaps: false,
+  reactStrictMode: true,
+  // Security headers
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: [
+          { key: 'X-Frame-Options', value: 'DENY' },
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+        ],
+      },
+    ]
+  },
+}
+module.exports = nextConfig
+`,
+        language: 'javascript',
+        size: 400,
+      },
+    },
+    {
+      name: 'Safe Package.json',
+      expectFindings: false,
+      description: 'Properly configured package.json should NOT be flagged',
+      file: {
+        path: 'package.json',
+        content: `{
+  "name": "my-app",
+  "version": "1.0.0",
+  "scripts": {
+    "start": "node index.js",
+    "build": "tsc",
+    "test": "jest"
+  },
+  "dependencies": {
+    "express": "^4.18.2",
+    "lodash": "^4.17.21",
+    "axios": "~1.6.0"
+  },
+  "devDependencies": {
+    "jest": "^29.7.0",
+    "typescript": "^5.3.0"
+  }
+}`,
+        language: 'json',
+        size: 300,
+      },
+    },
+    {
+      name: 'Example/Template Configs',
+      expectFindings: false,
+      description: 'Example configs with placeholders should NOT be flagged',
+      file: {
+        path: 'docker-compose.example.yml',
+        content: `
+version: '3.8'
+services:
+  app:
+    build: .
+    environment:
+      # Replace with your actual values
+      DATABASE_PASSWORD: <YOUR_PASSWORD_HERE>
+      API_KEY: your-api-key-here
+      JWT_SECRET: CHANGEME
+`,
+        language: 'yaml',
+        size: 200,
+      },
+    },
+  ],
+}