npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts ADDED Viewed

@@ -0,0 +1,246 @@
+/**
+ * Dangerous Functions Test Fixtures
+ * Tests for detecting eval, exec, SQL injection, XSS, and other dangerous function usage
+ */
+import type { TestGroup } from '../../types'
+export const dangerousFunctionsTests: TestGroup = {
+  name: 'Dangerous Functions',
+  tier: 'A',
+  layer: 2,
+  description: 'Detection of dangerous function calls that can lead to code injection, SQL injection, and XSS',
+  truePositives: [
+    {
+      name: 'Dangerous Functions - True Positives',
+      expectFindings: true,
+      expectedCategories: ['dangerous_function'],
+      description: 'Dangerous function patterns that MUST be detected',
+      file: {
+        path: 'src/api/execute.ts',
+        content: `
+import { exec, execSync, spawn } from 'child_process'
+// eval() with user input (Critical)
+export function executeUserCode(userCode: string) {
+  return eval(userCode)
+}
+// Function constructor (Critical)
+export function createDynamicFunction(code: string) {
+  return new Function('input', code)
+}
+// exec() with user input (Critical - Command Injection)
+export function runCommand(userCommand: string) {
+  exec(userCommand, (error, stdout) => {
+    console.log(stdout)
+  })
+}
+// execSync with template literal (Critical)
+export function runUserScript(filename: string) {
+  return execSync(\`node \${filename}\`)
+}
+// spawn with user-controlled args (High)
+export function spawnProcess(program: string, args: string[]) {
+  return spawn(program, args)
+}
+// SQL injection via string concatenation (Critical)
+export async function getUser(userId: string) {
+  const query = "SELECT * FROM users WHERE id = '" + userId + "'"
+  return db.query(query)
+}
+// SQL injection via template literal (Critical)
+export async function searchUsers(searchTerm: string) {
+  return db.query(\`SELECT * FROM users WHERE name LIKE '%\${searchTerm}%'\`)
+}
+// innerHTML with user data (High - XSS)
+export function renderUserContent(userHtml: string) {
+  document.getElementById('content').innerHTML = userHtml
+}
+// dangerouslySetInnerHTML with user data (High - XSS in React)
+export function UserContent({ html }: { html: string }) {
+  return <div dangerouslySetInnerHTML={{ __html: html }} />
+}
+// Unvalidated redirect (Medium - Open Redirect)
+export function redirect(url: string) {
+  window.location.href = url
+}
+// setTimeout with string (Medium)
+export function delayedExec(code: string) {
+  setTimeout(code, 1000)
+}
+// setInterval with string (Medium)
+export function repeatedExec(code: string) {
+  setInterval(code, 1000)
+}
+`,
+        language: 'typescript',
+        size: 1800,
+      },
+    },
+    {
+      name: 'Dangerous Functions - SQL Injection Variants',
+      expectFindings: true,
+      expectedCategories: ['dangerous_function'],
+      description: 'Various SQL injection patterns',
+      file: {
+        path: 'src/api/queries.ts',
+        content: `
+// String concatenation SQL injection
+export async function getUserByEmail(email: string) {
+  return db.query("SELECT * FROM users WHERE email = '" + email + "'")
+}
+// Template literal SQL injection
+export async function searchProducts(term: string) {
+  return db.query(\`SELECT * FROM products WHERE name LIKE '%\${term}%'\`)
+}
+// Multi-line SQL with injection
+export async function getOrders(userId: string, status: string) {
+  const query = \`
+    SELECT * FROM orders
+    WHERE user_id = '\${userId}'
+    AND status = '\${status}'
+  \`
+  return db.query(query)
+}
+// UPDATE statement injection
+export async function updateUser(userId: string, name: string) {
+  return db.query(\`UPDATE users SET name = '\${name}' WHERE id = '\${userId}'\`)
+}
+// DELETE statement injection
+export async function deleteUser(userId: string) {
+  return db.query("DELETE FROM users WHERE id = '" + userId + "'")
+}
+`,
+        language: 'typescript',
+        size: 900,
+      },
+    },
+  ],
+  falseNegatives: [
+    {
+      name: 'Dangerous Functions - False Negatives',
+      expectFindings: false,
+      description: 'Safe function patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'dangerous_function',
+          maxCount: 6,
+          reason: 'Static eval, hardcoded exec, and JSON.parse with safe sources generate info-level findings',
+        },
+      ],
+      file: {
+        path: 'src/api/safe-execute.ts',
+        content: `
+import { execSync } from 'child_process'
+// Static eval (no user input) - SAFE
+const config = eval('({ mode: "production" })')
+// exec with hardcoded command - SAFE
+function checkVersion() {
+  return execSync('node --version').toString()
+}
+// Parameterized SQL queries - SAFE
+async function getUser(userId: string) {
+  return db.query('SELECT * FROM users WHERE id = $1', [userId])
+}
+// ORM queries - SAFE
+async function findUser(userId: string) {
+  return prisma.user.findUnique({ where: { id: userId } })
+}
+// innerHTML with static content - SAFE
+function setStaticContent() {
+  document.getElementById('footer').innerHTML = '<p>Copyright 2024</p>'
+}
+// React JSX (auto-escaped) - SAFE
+function UserName({ name }: { name: string }) {
+  return <div>{name}</div>
+}
+// dangerouslySetInnerHTML with sanitized content - SAFE
+import DOMPurify from 'dompurify'
+function SafeUserContent({ html }: { html: string }) {
+  const clean = DOMPurify.sanitize(html)
+  return <div dangerouslySetInnerHTML={{ __html: clean }} />
+}
+// JSON.parse from own database - SAFE
+async function getConfig() {
+  const row = await db.query('SELECT config FROM settings WHERE id = 1')
+  return JSON.parse(row.config)
+}
+// JSON.parse with try-catch - SAFE
+function parseConfig(data: string) {
+  try {
+    return JSON.parse(data)
+  } catch {
+    return {}
+  }
+}
+`,
+        language: 'typescript',
+        size: 1400,
+      },
+    },
+    {
+      name: 'Dangerous Functions - Parameterized Queries',
+      expectFindings: false,
+      description: 'Properly parameterized SQL that should not be flagged',
+      file: {
+        path: 'src/api/safe-queries.ts',
+        content: `
+// Parameterized queries - SAFE
+async function getUserById(id: string) {
+  return db.query('SELECT * FROM users WHERE id = $1', [id])
+}
+// Named parameters - SAFE
+async function findByEmail(email: string) {
+  return db.query('SELECT * FROM users WHERE email = :email', { email })
+}
+// Prisma ORM - SAFE
+async function getOrders(userId: string) {
+  return prisma.order.findMany({
+    where: { userId }
+  })
+}
+// Drizzle ORM - SAFE
+async function getProducts(category: string) {
+  return db.select().from(products).where(eq(products.category, category))
+}
+// Knex query builder - SAFE
+async function searchUsers(name: string) {
+  return knex('users').where('name', 'like', \`%\${name}%\`)
+}
+`,
+        language: 'typescript',
+        size: 700,
+      },
+    },
+  ],
+}

package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts ADDED Viewed

@@ -0,0 +1,168 @@
+/**
+ * Data Exposure Test Fixtures
+ * Tests for detecting sensitive data exposure in logs, responses, and error handling
+ */
+import type { TestGroup } from '../../types'
+export const dataExposureTests: TestGroup = {
+  name: 'Data Exposure',
+  tier: 'B',
+  layer: 2,
+  description: 'Detection of sensitive data exposure in logs, responses, and error handling',
+  truePositives: [
+    {
+      name: 'Data Exposure - True Positives',
+      expectFindings: true,
+      expectedCategories: ['data_exposure'],
+      description: 'Data exposure patterns that MUST be detected',
+      file: {
+        path: 'src/api/users/route.ts',
+        content: `
+import { NextResponse } from 'next/server'
+// Full error stack in response - HIGH
+export async function GET() {
+  try {
+    const users = await db.user.findMany()
+    return NextResponse.json(users)
+  } catch (error) {
+    return NextResponse.json({
+      error: error.stack,  // Stack trace exposed!
+      details: error
+    }, { status: 500 })
+  }
+}
+// Logging passwords - CRITICAL
+export async function POST(request: Request) {
+  const { email, password } = await request.json()
+  console.log('Login attempt:', email, password)  // Password logged!
+  return authenticate(email, password)
+}
+// Logging API keys - HIGH
+export async function useKey(apiKey: string) {
+  console.log('Using API key:', apiKey)  // Secret logged!
+  return callAPI(apiKey)
+}
+// Returning full user object with sensitive fields - MEDIUM
+export async function getUser(userId: string) {
+  const user = await db.user.findUnique({
+    where: { id: userId },
+    include: {
+      apiKeys: true,    // API keys exposed!
+      sessions: true,   // Sessions exposed!
+    }
+  })
+  return NextResponse.json(user)  // No field filtering!
+}
+// Debug endpoint in production - HIGH
+export async function DEBUG() {
+  return NextResponse.json({
+    env: process.env,  // All env vars exposed!
+    config: serverConfig,
+  })
+}
+// Verbose internal error details - MEDIUM
+export async function handleError(error: any) {
+  return NextResponse.json({
+    error: error.message,
+    internalCode: error.code,
+    query: error.query,  // SQL query exposed!
+    trace: error.trace,
+  })
+}
+`,
+        language: 'typescript',
+        size: 1400,
+      },
+    },
+  ],
+  falseNegatives: [
+    {
+      name: 'Data Exposure - False Negatives',
+      expectFindings: false,
+      description: 'Safe error handling patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'ai_pattern',
+          maxCount: 2,
+          reason: 'AI boilerplate error messages are info-level findings',
+        },
+        {
+          category: 'data_exposure',
+          maxCount: 2,
+          reason: 'Exposing filtered user object is low/info-level, not a security issue',
+        },
+      ],
+      file: {
+        path: 'src/api/safe-handlers.ts',
+        content: `
+import { NextResponse } from 'next/server'
+// error.message only - SAFE (recommended pattern)
+export async function GET() {
+  try {
+    const data = await fetchData()
+    return NextResponse.json(data)
+  } catch (error) {
+    console.error('Error:', error)  // Logged for debugging - SAFE
+    return NextResponse.json({
+      error: error.message  // Only message, not stack - SAFE
+    }, { status: 500 })
+  }
+}
+// Static error message - SAFE
+export async function POST() {
+  try {
+    await doSomething()
+  } catch {
+    return NextResponse.json({
+      error: 'An error occurred'  // Generic message - SAFE
+    }, { status: 500 })
+  }
+}
+// Logging non-sensitive data - SAFE
+export async function logRequest(request: Request) {
+  const { method, url } = request
+  console.log(\`\${method} \${url}\`)  // No secrets - SAFE
+}
+// Filtered user response - SAFE
+export async function getUser(userId: string) {
+  const user = await db.user.findUnique({
+    where: { id: userId },
+    select: {
+      id: true,
+      name: true,
+      email: true,
+      // No sensitive fields selected
+    }
+  })
+  return NextResponse.json(user)
+}
+// Config check message - SAFE
+export async function checkConfig() {
+  if (!process.env.OPENAI_API_KEY) {
+    return NextResponse.json({
+      error: 'OpenAI API key not configured'  // Operational info - SAFE
+    }, { status: 500 })
+  }
+}
+`,
+        language: 'typescript',
+        size: 1200,
+      },
+    },
+  ],
+}