@oculum/scanner 1.0.0

package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts

@@ -0,0 +1,173 @@
+/**
+ * Hardcoded Secrets Test Fixtures
+ * Tests for detecting API keys, tokens, passwords, and other secrets in code
+ */
+
+import type { TestGroup } from '../../types'
+
+export const hardcodedSecretsTests: TestGroup = {
+  name: 'Hardcoded Secrets',
+  tier: 'A',
+  layer: 1,
+  description: 'Detection of API keys, tokens, passwords, and other secrets hardcoded in source code',
+  
+  truePositives: [
+    {
+      name: 'Hardcoded Secrets - True Positives',
+      expectFindings: true,
+      expectedCategories: ['hardcoded_secret'],
+      description: 'Various hardcoded secrets that MUST be detected',
+      file: {
+        path: 'src/config/secrets.ts',
+        content: `
+// AWS Credentials (Critical)
+const AWS_ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE"
+const AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+
+// API Keys (Critical)
+const OPENAI_API_KEY = "sk-proj-abc123def456ghi789jkl012mno345pqr678stu901vwx"
+const ANTHROPIC_API_KEY = "sk-ant-api03-abcdefghijklmnopqrstuvwxyz0123456789"
+const STRIPE_SECRET_KEY = "sk_live_51AbCdEfGhIjKlMnOpQrStUvWxYz0123456789"
+const STRIPE_PUBLISHABLE_KEY = "pk_live_51AbCdEfGhIjKlMnOpQrStUvWxYz0123456789"
+
+// GitHub Tokens (High)
+const GITHUB_TOKEN = "ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+const GITHUB_PAT = "github_pat_11ABCDEFG_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+// Database Credentials (Critical)
+const DATABASE_URL = "postgresql://admin:SuperSecret123!@prod-db.example.com:5432/production"
+const MONGO_URI = "mongodb+srv://admin:password123@cluster0.mongodb.net/prod?retryWrites=true"
+const REDIS_URL = "redis://:secretpassword@redis.example.com:6379"
+
+// JWT Secrets (High)
+const JWT_SECRET = "super_secret_jwt_signing_key_12345"
+const SESSION_SECRET = "my-session-secret-dont-share"
+
+// Private Keys (Critical)
+const PRIVATE_KEY = \`-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0Z3VS5JJcds3xfn/ygWyF8PbnGy...
+-----END RSA PRIVATE KEY-----\`
+
+// Slack/Discord Webhooks (Medium)
+const SLACK_WEBHOOK = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX"
+const DISCORD_WEBHOOK = "https://discord.com/api/webhooks/123456789012345678/abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOP"
+
+// SendGrid/Twilio (High)
+const SENDGRID_API_KEY = "SG.xxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+const TWILIO_AUTH_TOKEN = "12345678901234567890123456789012"
+`,
+        language: 'typescript',
+        size: 2000,
+      },
+    },
+    {
+      name: 'Hardcoded Secrets - Cloud Provider Keys',
+      expectFindings: true,
+      expectedCategories: ['hardcoded_secret'],
+      description: 'Cloud provider API keys and service account credentials',
+      file: {
+        path: 'src/config/cloud-keys.ts',
+        content: `
+// Google Cloud
+const GCP_API_KEY = "AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe"
+const GCP_SERVICE_ACCOUNT = {
+  "type": "service_account",
+  "project_id": "my-project",
+  "private_key_id": "key123",
+  "private_key": "-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBg..."
+}
+
+// Azure
+const AZURE_STORAGE_KEY = "DefaultEndpointsProtocol=https;AccountName=myaccount;AccountKey=abc123def456..."
+const AZURE_CLIENT_SECRET = "~Ab1.cDeF2gHiJ3kLmN4oPqR5sTuV6wXyZ"
+
+// DigitalOcean
+const DO_API_TOKEN = "dop_v1_abc123def456ghi789jkl012mno345pqr678stu901"
+
+// Cloudflare
+const CF_API_KEY = "c2547eb745079dac9320b638f5e225cf483cc5cfdda41"
+`,
+        language: 'typescript',
+        size: 800,
+      },
+    },
+  ],
+  
+  falseNegatives: [
+    {
+      name: 'Hardcoded Secrets - False Negatives',
+      expectFindings: false,
+      description: 'Patterns that should NOT be flagged as hardcoded secrets',
+      file: {
+        path: 'src/config/config.ts',
+        content: `
+// Environment variables - SAFE
+const API_KEY = process.env.API_KEY
+const DATABASE_URL = process.env.DATABASE_URL
+const JWT_SECRET = process.env.JWT_SECRET || ''
+
+// Next.js public env vars - SAFE
+const NEXT_PUBLIC_API_URL = process.env.NEXT_PUBLIC_API_URL
+
+// Placeholder values - SAFE
+const PLACEHOLDER_KEY = "your-api-key-here"
+const EXAMPLE_SECRET = "<INSERT_SECRET>"
+const TODO_KEY = "TODO: replace with real key"
+const TEST_KEY = "test_key_not_real"
+
+// Type definitions - SAFE
+interface Config {
+  apiKey: string
+  secretKey: string
+  jwtSecret: string
+}
+
+// Function parameters - SAFE
+function authenticate(apiKey: string, secretKey: string) {
+  return fetch('/api/auth', {
+    headers: { 'Authorization': \`Bearer \${apiKey}\` }
+  })
+}
+
+// Comments discussing secrets - SAFE (not actual secrets)
+// The API key should be stored in AWS_SECRET_ACCESS_KEY
+// Format: sk-ant-api03-xxxxx
+
+// Documentation examples - SAFE
+/*
+ * Example usage:
+ * const client = new Client({ apiKey: "sk-..." })
+ */
+`,
+        language: 'typescript',
+        size: 1000,
+      },
+    },
+    {
+      name: 'Hardcoded Secrets - Env File Template',
+      expectFindings: false,
+      description: '.env.example files should not be flagged',
+      file: {
+        path: '.env.example',
+        content: `
+# Database
+DATABASE_URL=postgresql://user:password@localhost:5432/mydb
+
+# API Keys (replace with your own)
+OPENAI_API_KEY=sk-your-key-here
+ANTHROPIC_API_KEY=sk-ant-your-key-here
+
+# Auth
+JWT_SECRET=generate-a-random-string-here
+NEXTAUTH_SECRET=another-random-string
+
+# Third party
+STRIPE_SECRET_KEY=sk_test_your_key
+STRIPE_PUBLISHABLE_KEY=pk_test_your_key
+`,
+        language: 'text',
+        size: 400,
+      },
+    },
+  ],
+}

package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts

@@ -0,0 +1,234 @@
+/**
+ * High-Entropy String Detection Test Fixtures
+ * Tests for detecting potential secrets based on Shannon entropy
+ */
+
+import type { TestGroup } from '../../types'
+
+export const highEntropyTests: TestGroup = {
+  name: 'High-Entropy Strings',
+  tier: 'B',
+  layer: 1,
+  description: 'Detection of high-entropy strings that may be secrets',
+
+  truePositives: [
+    {
+      name: 'High-Entropy - True Positives',
+      expectFindings: true,
+      expectedCategories: ['high_entropy_string'],
+      description: 'High-entropy strings that MUST be detected',
+      file: {
+        path: 'src/config/secrets.ts',
+        content: `
+// Random strings that look like secrets - should be flagged
+const randomSecret = 'aB3xK9mPqR5tL7nW2cF4hJ6dG8vS0yU1'
+const anotherSecret = 'xYz123AbC456dEf789GhI012JkL345MnO'
+const hexSecret = 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8'
+
+// Base64-encoded looking strings
+const base64Secret = 'YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXo='
+const longBase64 = 'SGVsbG9Xb3JsZFRoaXNJc0FMb25nU3RyaW5nRm9yVGVzdGluZw=='
+
+// Mixed alphanumeric high-entropy
+const mixedSecret = 'Qw3rTy7U1oP9aS2dF4gH6jK8lZ0xCvB'
+const complexSecret = 'n5X2mK8pL3qW7rT9yU4iO1aS6dF0gH'
+
+// Strings that could be API keys
+const potentialKey = 'sk_live_51JvXxxxxxxxxxxxxxxxxxxx12345'
+const anotherKey = 'rk_test_aBcDeFgHiJkLmNoPqRsTuVwXyZ'
+
+// JWT-like high entropy segments
+const jwtPayload = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0'
+`,
+        language: 'typescript',
+        size: 800,
+      },
+    },
+  ],
+
+  falseNegatives: [
+    {
+      name: 'High-Entropy - False Negatives (Safe Patterns)',
+      expectFindings: false,
+      description: 'High-entropy but safe patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'high_entropy_string',
+          maxCount: 5,
+          reason: 'Some edge cases may still generate info findings requiring AI validation',
+        },
+        {
+          category: 'hardcoded_secret',
+          maxCount: 3,
+          reason: 'Hashes and webhook URLs may trigger secret detection',
+        },
+        {
+          category: 'sensitive_url',
+          maxCount: 3,
+          reason: 'URLs in test data may trigger URL detection',
+        },
+        {
+          category: 'sensitive_variable',
+          maxCount: 2,
+          reason: 'Variable names may trigger sensitive variable detection',
+        },
+      ],
+      file: {
+        path: 'src/components/Dashboard.tsx',
+        content: `
+import { useState, useEffect } from 'react'
+
+// CSS/Tailwind classes - SAFE (looks high entropy but is CSS)
+const styles = 'flex items-center justify-between p-4 bg-gray-100 rounded-lg shadow-md'
+const moreStyles = 'text-sm font-medium text-gray-700 hover:text-blue-600 transition-colors duration-200'
+const complexTailwind = 'grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4 px-6 py-8 bg-gradient-to-r'
+
+// UUIDs - SAFE (standard format)
+const userId = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
+
+// Short references - SAFE
+const commitRef = 'a1b2c3d'
+
+// Natural language content - SAFE
+const description = 'This is a longer description that explains what the feature does and how to use it properly'
+const message = 'Please enter your email address to continue with the registration process'
+
+// UI strings with model names - SAFE
+const modelLabel = 'Claude 3.5 Sonnet - Best for chat and embeddings with high accuracy'
+const tooltip = 'Uses GPT-4 Turbo for advanced reasoning and complex analysis tasks'
+
+// URLs - SAFE
+const docsUrl = 'https://docs.myapp.com/getting-started'
+
+// File paths - SAFE
+const configPath = '/home/user/.config/myapp/settings/production.json'
+const assetPath = '/assets/images/icons/dashboard/analytics/chart-line.svg'
+
+// CSS gradients and colors - SAFE
+const gradient = 'linear-gradient(135deg, #667eea 0%, #764ba2 100%)'
+const complexColor = 'rgba(102, 126, 234, 0.85)'
+
+// Template literals with code expressions - SAFE
+const formattedTime = \`Synced \${lastSync.toLocaleString()} - \${hours}h ago\`
+const displayPrice = \`$\${price.toFixed(2).padStart(8, '0')}\`
+
+// Dates/timestamps - SAFE
+const timestamp = '2024-01-15T14:30:00.000Z'
+const formattedDate = '2024-01-15 14:30:00+00:00'
+
+// Email addresses - SAFE
+const supportEmail = 'support+test-user@example-company.com'
+
+// Regex patterns (route matchers) - SAFE
+const routePattern = '/api/v1/users/[id]/posts/(?:comments|reactions)'
+const pathMatcher = '^\\/api\\/v[0-9]+\\/(?:users|posts)\\/(.*)'
+`,
+        language: 'typescript',
+        size: 2200,
+      },
+    },
+    {
+      name: 'High-Entropy - False Negatives (CSS-in-JS)',
+      expectFindings: false,
+      description: 'CSS-in-JS patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'high_entropy_string',
+          maxCount: 1,
+          reason: 'Complex CSS may occasionally trigger',
+        },
+      ],
+      file: {
+        path: 'src/styles/theme.ts',
+        content: `
+import styled from 'styled-components'
+
+// Styled components - SAFE
+const Button = styled.button\`
+  background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+  color: #ffffff;
+  padding: 12px 24px;
+  border-radius: 8px;
+  font-weight: 600;
+  transition: transform 0.2s ease-in-out, box-shadow 0.2s ease-in-out;
+
+  &:hover {
+    transform: translateY(-2px);
+    box-shadow: 0 4px 12px rgba(102, 126, 234, 0.4);
+  }
+\`
+
+// Emotion CSS - SAFE
+const containerStyles = css\`
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
+  gap: 24px;
+  padding: 32px;
+  background: #f8fafc;
+  border-radius: 12px;
+\`
+
+// Inline styles object - SAFE
+const inlineStyle = {
+  background: 'linear-gradient(to right, #4facfe 0%, #00f2fe 100%)',
+  boxShadow: '0 10px 40px rgba(0, 0, 0, 0.15)',
+  transform: 'perspective(1000px) rotateY(5deg)',
+}
+
+// CSS custom properties - SAFE
+const cssVars = {
+  '--primary-gradient': 'linear-gradient(135deg, #667eea 0%, #764ba2 100%)',
+  '--shadow-color': 'rgba(102, 126, 234, 0.25)',
+}
+`,
+        language: 'typescript',
+        size: 1000,
+      },
+    },
+    {
+      name: 'Test File High-Entropy',
+      expectFindings: false,
+      description: 'Test files with high-entropy test data',
+      allowedInfoFindings: [
+        {
+          category: 'high_entropy_string',
+          maxCount: 3,
+          reason: 'Test data may have some high-entropy patterns',
+        },
+        {
+          category: 'hardcoded_secret',
+          maxCount: 2,
+          reason: 'Test secrets may be detected at low severity',
+        },
+      ],
+      file: {
+        path: 'src/__tests__/crypto.test.ts',
+        content: `
+import { describe, it, expect } from 'vitest'
+import { hash, encrypt, decrypt } from '../crypto'
+
+describe('Crypto utils', () => {
+  // Test vectors with known outputs - OK in tests
+  const testKey = 'aB3xK9mPqR5tL7nW2cF4hJ6dG8vS0yU1'
+  const testIV = '0123456789abcdef0123456789abcdef'
+  const expectedHash = 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
+
+  it('should hash correctly', () => {
+    const result = hash('test-input')
+    expect(result).toMatch(/^[a-f0-9]{64}$/)
+  })
+
+  it('should encrypt and decrypt', () => {
+    const plaintext = 'Hello, World!'
+    const encrypted = encrypt(plaintext, testKey)
+    const decrypted = decrypt(encrypted, testKey)
+    expect(decrypted).toBe(plaintext)
+  })
+})
+`,
+        language: 'typescript',
+        size: 700,
+      },
+    },
+  ],
+}

package/src/__tests__/benchmark/fixtures/layer1/index.ts

@@ -0,0 +1,31 @@
+/**
+ * Layer 1 Test Fixtures Index
+ * Exports all Layer 1 (Surface Scan) test fixtures
+ */
+
+export { hardcodedSecretsTests } from './hardcoded-secrets'
+export { weakCryptoTests } from './weak-crypto'
+export { sensitiveUrlsTests } from './sensitive-urls'
+// M6: New Layer 1 fixtures
+export { highEntropyTests } from './high-entropy'
+export { configAuditTests } from './config-audit'
+
+import type { TestGroup } from '../../types'
+import { hardcodedSecretsTests } from './hardcoded-secrets'
+import { weakCryptoTests } from './weak-crypto'
+import { sensitiveUrlsTests } from './sensitive-urls'
+// M6: New Layer 1 fixtures
+import { highEntropyTests } from './high-entropy'
+import { configAuditTests } from './config-audit'
+
+/**
+ * All Layer 1 test groups
+ */
+export const layer1TestGroups: TestGroup[] = [
+  hardcodedSecretsTests,
+  weakCryptoTests,
+  sensitiveUrlsTests,
+  // M6: New Layer 1 fixtures
+  highEntropyTests,
+  configAuditTests,
+]

package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts

@@ -0,0 +1,90 @@
+/**
+ * Sensitive URLs Test Fixtures
+ * Tests for detecting sensitive URLs with embedded credentials or internal endpoints
+ */
+
+import type { TestGroup } from '../../types'
+
+export const sensitiveUrlsTests: TestGroup = {
+  name: 'Sensitive URLs',
+  tier: 'A',
+  layer: 1,
+  description: 'Detection of URLs with embedded credentials, internal endpoints, and webhook URLs',
+  
+  truePositives: [
+    {
+      name: 'Sensitive URLs - True Positives',
+      expectFindings: true,
+      expectedCategories: ['sensitive_url', 'hardcoded_secret'],
+      description: 'Sensitive URLs that MUST be detected',
+      file: {
+        path: 'src/config/endpoints.ts',
+        content: `
+// Webhook URLs with embedded tokens (High)
+const SLACK_WEBHOOK = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXX"
+const DISCORD_WEBHOOK = "https://discord.com/api/webhooks/123456789/abcdef"
+const GITHUB_WEBHOOK = "https://api.github.com/repos/owner/repo/hooks?token=abc123"
+
+// Internal infrastructure URLs (Medium)
+const INTERNAL_API = "http://internal-api.prod.company.com/admin"
+const KUBERNETES_API = "https://10.0.0.1:6443/api/v1/namespaces"
+const VAULT_URL = "http://vault.internal:8200/v1/secret/data"
+
+// URLs with embedded credentials (Critical)
+const DB_ADMIN = "https://admin:password@db.example.com:5432"
+const REDIS_ADMIN = "redis://:secretpass@redis.prod.internal:6379"
+const GRAFANA_URL = "https://admin:grafana123@monitoring.internal/d/dashboard"
+
+// Production hardcoded endpoints (Medium)
+const PROD_API = "https://api.production.company.com/v1"
+const ADMIN_PANEL = "https://admin.production.company.com/dashboard"
+
+// S3 with access key in URL (High)
+const S3_URL = "https://AKIAIOSFODNN7EXAMPLE:wJalrXUtnFEMI@s3.amazonaws.com/bucket"
+`,
+        language: 'typescript',
+        size: 1000,
+      },
+    },
+  ],
+  
+  falseNegatives: [
+    {
+      name: 'Sensitive URLs - False Negatives',
+      expectFindings: false,
+      description: 'Safe URL patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'sensitive_url',
+          maxCount: 2,
+          reason: 'Localhost URLs in dev context are info-level findings, not security issues',
+        },
+      ],
+      file: {
+        path: 'src/config/urls.ts',
+        content: `
+// Public API endpoints - SAFE
+const PUBLIC_API = "https://api.example.com/v1"
+const CDN_URL = "https://cdn.example.com/assets"
+
+// Environment-based URLs - SAFE
+const API_URL = process.env.API_URL
+const WEBHOOK_URL = process.env.WEBHOOK_URL
+
+// Localhost for development - SAFE (info at most)
+const DEV_API = "http://localhost:3000/api"
+const DEV_DB = "postgresql://localhost:5432/dev"
+
+// Documentation URLs - SAFE
+const DOCS_URL = "https://docs.example.com"
+const SWAGGER_URL = "https://api.example.com/swagger"
+
+// Template URLs - SAFE
+const URL_TEMPLATE = "https://{subdomain}.example.com/{path}"
+`,
+        language: 'typescript',
+        size: 500,
+      },
+    },
+  ],
+}