@oculum/scanner 1.0.0

package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts

@@ -0,0 +1,246 @@
+/**
+ * Logic Gates Test Fixtures
+ * Tests for detecting security bypass patterns and dangerous logic flows
+ */
+
+import type { TestGroup } from '../../types'
+
+export const logicGatesTests: TestGroup = {
+  name: 'Logic Gates / Security Bypass',
+  tier: 'C',
+  layer: 2,
+  description: 'Detection of security bypass patterns, debug flags, and dangerous logic flows',
+
+  truePositives: [
+    {
+      name: 'Security Bypass - True Positives',
+      expectFindings: true,
+      expectedCategories: ['security_bypass'],
+      description: 'Security bypass patterns that MUST be detected',
+      file: {
+        path: 'src/middleware/auth.ts',
+        content: `
+import { NextRequest, NextResponse } from 'next/server'
+
+// Development mode security bypass - HIGH
+export function authMiddleware(req: NextRequest) {
+  if (process.env.NODE_ENV !== 'production') return true
+  if (process.env.NODE_ENV === 'development') {
+    return NextResponse.next()
+  }
+
+  // Auth bypass with hardcoded true - CRITICAL
+  if (true) {
+    return NextResponse.next()
+  }
+
+  // Debug bypass flags - HIGH
+  if (DEBUG) {
+    return NextResponse.next()
+  }
+  if (SKIP_AUTH) {
+    return true
+  }
+  if (BYPASS) {
+    return allow()
+  }
+
+  return verifyAuth(req)
+}
+
+// Commented auth check - HIGH
+export async function handler(req: Request) {
+  // if (!user) return unauthorized
+  // await verifyToken(token)
+  // check permission before proceeding
+  return processRequest(req)
+}
+
+// Validation skip patterns - HIGH
+const config = {
+  skipValidation: true,
+  validate: false,
+  noValidate: true,
+}
+
+// Disabled CSRF protection - HIGH
+const securityOptions = {
+  csrf: false,
+  csrfProtection: false,
+}
+
+// Disabled SSL verification - CRITICAL
+const httpsOptions = {
+  rejectUnauthorized: false,
+  verify: false,
+  ssl: false,
+}
+process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0'
+
+// Unsafe default allow - MEDIUM
+function checkPermission(role: string) {
+  switch (role) {
+    case 'admin': return true
+    case 'user': return limited()
+    default: return true  // Unsafe!
+  }
+}
+
+// Empty error handler - MEDIUM
+try {
+  await riskyOperation()
+} catch (e) {
+  // silently ignore
+}
+
+try {
+  await anotherOperation()
+} catch (error) {}
+
+// Open redirect vulnerability - HIGH
+app.get('/redirect', (req, res) => {
+  redirect(req.query.url)
+  redirect(req.params.destination)
+  redirect(request.body.redirectUrl)
+})
+
+// Timing attack vulnerable comparison - MEDIUM
+function verifySecret(input: string) {
+  if (input === 'super-secret-value-12345678')
+  if (token === userToken)
+  if (password === storedPassword)
+  if (secret === expectedSecret)
+}
+
+// Admin bypass pattern - MEDIUM
+function checkAccess(user: User) {
+  if (isAdmin) return true
+  if (isSuperUser) continue
+  if (role === 'admin') return
+}
+`,
+        language: 'typescript',
+        size: 1800,
+      },
+    },
+  ],
+
+  falseNegatives: [
+    {
+      name: 'Security Bypass - False Negatives',
+      expectFindings: false,
+      description: 'Safe patterns that should NOT be flagged as security bypasses',
+      allowedInfoFindings: [
+        {
+          category: 'security_bypass',
+          maxCount: 5,
+          reason: 'Development mode checks may still generate low-severity findings',
+        },
+        {
+          category: 'ai_pattern',
+          maxCount: 3,
+          reason: 'Catch blocks and feature flags may trigger ai-fingerprinting at info level',
+        },
+        {
+          category: 'insecure_config',
+          maxCount: 2,
+          reason: 'Config patterns may trigger config detection',
+        },
+        {
+          category: 'data_exposure',
+          maxCount: 2,
+          reason: 'Error handling patterns may trigger data exposure detection',
+        },
+        {
+          category: 'dangerous_function',
+          maxCount: 2,
+          reason: 'URL operations may trigger dangerous function detection',
+        },
+      ],
+      file: {
+        path: 'src/middleware/safe-auth.ts',
+        content: `
+import { NextRequest, NextResponse } from 'next/server'
+import crypto from 'crypto'
+
+// Auth middleware with proper checks - SAFE
+export function authMiddleware(req: NextRequest) {
+  const token = req.headers.get('authorization')
+  if (!token) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+  return NextResponse.next()
+}
+
+// Proper error handling - SAFE
+try {
+  await riskyOperation()
+} catch (error) {
+  console.error('Operation failed:', error)
+  throw new Error('Operation failed')
+}
+
+// Proper secret comparison using timing-safe - SAFE
+function verifySecret(input: string, expected: string) {
+  const inputBuffer = Buffer.from(input)
+  const expectedBuffer = Buffer.from(expected)
+  return crypto.timingSafeEqual(inputBuffer, expectedBuffer)
+}
+
+// Default deny pattern - SAFE
+function checkPermission(role: string) {
+  switch (role) {
+    case 'admin': return true
+    case 'user': return limited()
+    default: return false  // Safe default deny
+  }
+}
+`,
+        language: 'typescript',
+        size: 700,
+      },
+    },
+    {
+      name: 'Test File Patterns',
+      expectFindings: false,
+      description: 'Security bypass patterns in test files are expected',
+      allowedInfoFindings: [
+        {
+          category: 'security_bypass',
+          maxCount: 8,
+          reason: 'Test files intentionally have bypass patterns for testing',
+        },
+        {
+          category: 'insecure_config',
+          maxCount: 3,
+          reason: 'Test configs may trigger config detection',
+        },
+        {
+          category: 'ai_pattern',
+          maxCount: 2,
+          reason: 'Test patterns may trigger AI detection',
+        },
+      ],
+      file: {
+        path: 'src/__tests__/auth.test.ts',
+        content: `
+import { describe, it, expect, vi } from 'vitest'
+
+describe('Auth middleware', () => {
+  it('should authenticate valid users', () => {
+    const result = authenticate({ token: 'valid' })
+    expect(result.authenticated).toBe(true)
+  })
+
+  it('should reject invalid users', () => {
+    const result = authenticate({ token: 'invalid' })
+    expect(result.authenticated).toBe(false)
+  })
+})
+`,
+        language: 'typescript',
+        size: 300,
+      },
+    },
+  ],
+}

package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts

@@ -0,0 +1,231 @@
+/**
+ * Risky Imports Test Fixtures
+ * Tests for detecting deprecated, vulnerable, or risky package imports
+ */
+
+import type { TestGroup } from '../../types'
+
+export const riskyImportsTests: TestGroup = {
+  name: 'Risky Imports',
+  tier: 'C',
+  layer: 2,
+  description: 'Detection of deprecated, vulnerable, or risky package imports',
+
+  truePositives: [
+    {
+      name: 'Risky Imports - True Positives (JavaScript/TypeScript)',
+      expectFindings: true,
+      expectedCategories: ['suspicious_package'],
+      description: 'Risky package imports that MUST be detected',
+      file: {
+        path: 'src/lib/http-client.ts',
+        content: `
+// Deprecated packages - MEDIUM/LOW
+import request from 'request'
+const request = require('request')
+
+import uuid from 'node-uuid'
+const nodeUuid = require('node-uuid')
+
+// Full lodash import (bundle size/attack surface) - LOW
+import _ from 'lodash'
+import * as lodash from 'lodash'
+const _ = require('lodash')
+
+// Deprecated moment.js - LOW
+import moment from 'moment'
+const moment = require('moment')
+
+// Deprecated bcrypt-nodejs - MEDIUM
+import bcrypt from 'bcrypt-nodejs'
+const bcrypt = require('bcrypt-nodejs')
+
+// Less maintained mysql package - LOW
+import mysql from 'mysql'
+const mysql = require('mysql')
+
+// Outdated crypto - LOW
+import CryptoJS from 'crypto-js'
+
+// serialize-javascript RCE risk - MEDIUM
+import serialize from 'serialize-javascript'
+
+// express-jwt CVE history - MEDIUM
+import expressJwt from 'express-jwt'
+const jwt = require('express-jwt')
+
+// Native module concerns - LOW
+import gyp from 'node-gyp'
+
+// Analytics packages (privacy) - LOW
+import analytics from 'analytics'
+import segment from 'segment'
+import mixpanel from 'mixpanel'
+import amplitude from 'amplitude'
+
+// vm2 sandbox (info - for awareness) - INFO
+import { VM } from 'vm2'
+const vm2 = require('vm2')
+`,
+        language: 'typescript',
+        size: 1000,
+      },
+    },
+    {
+      name: 'Risky Imports - True Positives (Python)',
+      expectFindings: true,
+      expectedCategories: ['suspicious_package'],
+      description: 'Python risky patterns that MUST be detected',
+      file: {
+        path: 'src/scripts/processor.py',
+        content: `
+# Pickle unsafe deserialization - HIGH
+import pickle
+from pickle import load, dump
+
+# Load pickle data from file
+data = pickle.load(open('data.pkl', 'rb'))
+
+# YAML unsafe load - HIGH
+import yaml
+
+config = yaml.load(open('config.yml'))  # Missing Loader parameter
+data = yaml.load(file_content)
+
+# subprocess shell injection - HIGH
+import subprocess
+
+subprocess.call(user_command, shell=True)
+subprocess.run(cmd, shell=True)
+subprocess.Popen(command, shell=True)
+subprocess.check_output(user_input, shell=True)
+`,
+        language: 'python',
+        size: 500,
+      },
+    },
+  ],
+
+  falseNegatives: [
+    {
+      name: 'Risky Imports - False Negatives (Safe Alternatives)',
+      expectFindings: false,
+      description: 'Modern/safe alternatives that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'suspicious_package',
+          maxCount: 1,
+          reason: 'Some packages may still generate info-level awareness findings',
+        },
+      ],
+      file: {
+        path: 'src/lib/safe-client.ts',
+        content: `
+// Modern HTTP clients - SAFE
+import axios from 'axios'
+import fetch from 'node-fetch'
+
+// Modern UUID - SAFE
+import { v4 as uuidv4 } from 'uuid'
+
+// Tree-shakeable lodash imports - SAFE
+import get from 'lodash/get'
+import set from 'lodash/set'
+import { get, set } from 'lodash-es'
+
+// Modern date libraries - SAFE
+import { format, parse } from 'date-fns'
+import dayjs from 'dayjs'
+
+// Modern bcrypt - SAFE
+import bcrypt from 'bcrypt'
+import bcryptjs from 'bcryptjs'
+
+// mysql2 (maintained) - SAFE
+import mysql from 'mysql2'
+
+// Native crypto - SAFE
+import crypto from 'crypto'
+import { randomBytes } from 'crypto'
+
+// jose for JWT - SAFE
+import { SignJWT, jwtVerify } from 'jose'
+import jwt from 'jsonwebtoken'
+`,
+        language: 'typescript',
+        size: 600,
+      },
+    },
+    {
+      name: 'Risky Imports - False Negatives (Python Safe Patterns)',
+      expectFindings: false,
+      description: 'Safe Python patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'suspicious_package',
+          maxCount: 8,
+          reason: 'Package imports may still be flagged at info level even when used safely',
+        },
+        {
+          category: 'dangerous_function',
+          maxCount: 3,
+          reason: 'Subprocess and file operations may trigger dangerous function detection',
+        },
+        {
+          category: 'insecure_config',
+          maxCount: 2,
+          reason: 'Config loading patterns may trigger config detection',
+        },
+      ],
+      file: {
+        path: 'src/scripts/safe_processor.py',
+        content: `
+# Safe YAML loading with explicit safe loader - SAFE
+import yaml
+
+# Using safe_load is the recommended approach
+config = yaml.safe_load(open('config.yml'))
+
+# JSON is always safe for serialization - SAFE
+import json
+
+data = json.load(open('data.json'))
+`,
+        language: 'python',
+        size: 200,
+      },
+    },
+    {
+      name: 'Comments About Risky Packages',
+      expectFindings: false,
+      description: 'Comments mentioning risky packages should NOT be flagged',
+      file: {
+        path: 'src/MIGRATION.md',
+        content: `
+# Migration Guide
+
+## HTTP Client Migration
+
+We migrated from the deprecated 'request' package to axios.
+The old code used: import request from 'request'
+New code uses: import axios from 'axios'
+
+## Date Library Migration
+
+// Old: import moment from 'moment'
+// New: import { format } from 'date-fns'
+
+Note: moment.js is now in maintenance mode.
+
+## UUID Migration
+
+Previously we used node-uuid which is deprecated.
+// const uuid = require('node-uuid')
+Now we use the uuid package directly.
+`,
+        language: 'markdown',
+        size: 400,
+      },
+    },
+  ],
+}

package/src/__tests__/benchmark/fixtures/layer2/variables.ts

@@ -0,0 +1,167 @@
+/**
+ * Sensitive Variables Test Fixtures
+ * Tests for detecting sensitive variable names with hardcoded values
+ */
+
+import type { TestGroup } from '../../types'
+
+export const sensitiveVariablesTests: TestGroup = {
+  name: 'Sensitive Variables',
+  tier: 'C',
+  layer: 2,
+  description: 'Detection of sensitive variable names with hardcoded values',
+
+  truePositives: [
+    {
+      name: 'Sensitive Variables - True Positives',
+      expectFindings: true,
+      expectedCategories: ['sensitive_variable'],
+      description: 'Hardcoded sensitive variables that MUST be detected',
+      file: {
+        path: 'src/config/secrets.ts',
+        content: `
+// Password-related variables with hardcoded values - HIGH/CRITICAL
+const password = 'my-secret-password-123'
+const passwd = 'admin123'
+const pwd = 'password456'
+const user_password = 'userpass789'
+const admin_password = 'admin@secure!'
+const db_password = 'database-pass-abc'
+const database_password = 'dbpass123456'
+
+// Token-related variables - HIGH
+const auth_token = 'eyJhbGciOiJIUzI1NiJ9.token'
+const access_token = 'ya29.access-token-value'
+const refresh_token = 'refresh-token-12345'
+const bearer_token = 'Bearer abc123def456'
+const api_token = 'tok_live_1234567890'
+const api_key = 'sk-proj-abcdefghijklmnop'
+const apikey = 'api-key-secret-value'
+
+// Secret-related variables - HIGH/CRITICAL
+const secret = 'my-application-secret'
+const secret_key = 'secret-key-value-here'
+const private_key = 'private-key-content'
+const signing_key = 'signing-key-abc123'
+const client_secret = 'client-secret-xyz789'
+const app_secret = 'app-secret-12345'
+const jwt_secret = 'jwt-signing-secret-key'
+
+// Credential-related - HIGH
+const credential = 'user:password@host'
+const credentials = 'admin:secretpassword'
+const creds = 'authentication-creds'
+
+// Connection strings - HIGH
+const connection_string = 'postgresql://user:pass@host:5432/db'
+const conn_string = 'mysql://root:password@localhost/mydb'
+const database_url = 'mongodb://admin:secret@cluster.mongodb.net'
+const db_url = 'redis://user:password@redis-host:6379'
+
+// Encryption keys - CRITICAL
+const encryption_key = 'aes-256-encryption-key-value'
+const decrypt_key = 'decryption-key-secret'
+const cipher_key = 'cipher-key-for-encryption'
+const aes_key = 'AES-secret-key-32bytes'
+
+// SSH/Certificate keys - CRITICAL
+const ssh_key = 'ssh-rsa AAAAB3NzaC1yc2E...'
+const ssl_key = 'ssl-private-key-content'
+const cert_key = 'certificate-key-value'
+`,
+        language: 'typescript',
+        size: 1500,
+      },
+    },
+  ],
+
+  falseNegatives: [
+    {
+      name: 'Sensitive Variables - False Negatives',
+      expectFindings: false,
+      description: 'Safe patterns that should NOT be flagged',
+      allowedInfoFindings: [
+        {
+          category: 'sensitive_variable',
+          maxCount: 5,
+          reason: 'Variable names may still trigger sensitive variable detection even with safe values',
+        },
+        {
+          category: 'hardcoded_secret',
+          maxCount: 3,
+          reason: 'Layer 1 may detect placeholder patterns at info level',
+        },
+        {
+          category: 'ai_pattern',
+          maxCount: 2,
+          reason: 'Placeholder patterns may trigger AI detection',
+        },
+      ],
+      file: {
+        path: 'src/config/safe-config.ts',
+        content: `
+// Environment variable references - SAFE
+const dbUrl = process.env.DATABASE_URL
+const apiUrl = process.env.API_URL
+
+// Type definitions (not actual values) - SAFE
+interface Config {
+  databaseUrl: string
+  apiUrl: string
+}
+
+// Empty/default values - SAFE
+const configValue = ''
+const setting = null
+
+// Environment-based configuration - SAFE
+const endpoint = process.env.ENDPOINT || 'localhost'
+`,
+        language: 'typescript',
+        size: 400,
+      },
+    },
+    {
+      name: 'Test File Patterns',
+      expectFindings: false,
+      description: 'Test files may have mock sensitive variables',
+      allowedInfoFindings: [
+        {
+          category: 'sensitive_variable',
+          maxCount: 8,
+          reason: 'Test files may have mock credentials for testing',
+        },
+        {
+          category: 'hardcoded_secret',
+          maxCount: 5,
+          reason: 'Test credentials may be detected at low severity',
+        },
+        {
+          category: 'high_entropy_string',
+          maxCount: 2,
+          reason: 'Test strings may trigger entropy detection',
+        },
+      ],
+      file: {
+        path: 'src/__tests__/config.test.ts',
+        content: `
+import { describe, it, expect } from 'vitest'
+
+describe('Config', () => {
+  it('should mask sensitive values in logs', () => {
+    const value = 'test-value'
+    expect(maskValue(value)).toBe('***')
+  })
+
+  it('should validate format', () => {
+    const input = 'valid-input'
+    expect(isValid(input)).toBe(true)
+  })
+})
+`,
+        language: 'typescript',
+        size: 300,
+      },
+    },
+  ],
+}

package/src/__tests__/benchmark/index.ts

@@ -0,0 +1,29 @@
+/**
+ * Security Benchmark Test Suite
+ * 
+ * Modular benchmark suite for the Oculum scanner covering:
+ * - Traditional OWASP-style vulnerabilities
+ * - AI-specific security issues (prompt injection, unsafe execution, BYOK, etc.)
+ * - False positive scenarios
+ * 
+ * Usage:
+ *   Run all tests:     npx tsx src/lib/scanner/__tests__/benchmark/run-benchmark.ts
+ *   
+ *   Import fixtures:   import { allTestGroups } from './benchmark'
+ *   Import utilities:  import { runTestFixture } from './benchmark'
+ */
+
+// Types
+export * from './types'
+
+// Test fixtures
+export * from './fixtures'
+
+// Test utilities
+export {
+  runTestFixture,
+  runTestGroup,
+  printTestResult,
+  computeSummary,
+  printSummary,
+} from './utils/test-runner'