@oculum/scanner 1.0.0

package/src/layer1/entropy.ts

@@ -0,0 +1,583 @@
+/**
+ * Layer 1: High-Entropy String Detection
+ * Uses Shannon entropy to detect potential secrets that don't match known patterns
+ */
+
+import type { Vulnerability } from '../types'
+import {
+  isTestOrMockFile,
+  isComment,
+  isScannerOrFixtureFile,
+  isExampleFile,
+  isFixtureFile,
+  isExampleDirectory,
+} from '../utils/context-helpers'
+
+// Shannon entropy calculation
+export function calculateEntropy(str: string): number {
+  if (str.length === 0) return 0
+
+  const freq: Record<string, number> = {}
+  for (const char of str) {
+    freq[char] = (freq[char] || 0) + 1
+  }
+
+  let entropy = 0
+  const len = str.length
+  for (const char in freq) {
+    const p = freq[char] / len
+    entropy -= p * Math.log2(p)
+  }
+
+  return entropy
+}
+
+// Extract string literals from code
+function extractStringLiterals(content: string): Array<{ value: string; line: number; lineContent: string }> {
+  const strings: Array<{ value: string; line: number; lineContent: string }> = []
+  const lines = content.split('\n')
+
+  // Patterns for string literals
+  const patterns = [
+    /"([^"\\]|\\.){20,}"/g,      // Double-quoted strings 20+ chars
+    /'([^'\\]|\\.){20,}'/g,      // Single-quoted strings 20+ chars
+    /`([^`\\]|\\.){20,}`/g,      // Template literals 20+ chars
+  ]
+
+  lines.forEach((line, index) => {
+    for (const pattern of patterns) {
+      let match
+      const regex = new RegExp(pattern.source, pattern.flags)
+      while ((match = regex.exec(line)) !== null) {
+        // Remove quotes and get the actual string value
+        const value = match[0].slice(1, -1)
+        strings.push({
+          value,
+          line: index + 1,
+          lineContent: line.trim(),
+        })
+      }
+    }
+  })
+
+  return strings
+}
+
+// Check if string looks like a known safe pattern (URLs, paths, etc.)
+function isSafePattern(str: string): boolean {
+  const safePatterns = [
+    /^https?:\/\//i,                    // URLs
+    /^\/[a-z0-9_/-]+$/i,                // File paths
+    /^\d{4}-\d{2}-\d{2}/,               // Dates
+    /^[a-f0-9]{32}$/i,                  // MD5 hashes (often used as IDs)
+    /^[a-f0-9]{40}$/i,                  // SHA1 hashes
+    /^[a-f0-9]{64}$/i,                  // SHA256 hashes
+    /^data:[a-z]+\/[a-z]+;base64,/i,    // Data URLs
+    /^[a-z0-9._%+-]+@[a-z0-9.-]+\.[a-z]{2,}$/i, // Emails
+    /^\s*$/,                            // Whitespace only
+    /^[a-z\s]+$/i,                      // Only letters and spaces (likely text)
+    /^\/?[\(\)\[\]\{\}\|\?\*\+\.\^\$\\:!_a-z0-9/-]+$/i, // Regex patterns (route matchers, etc.)
+  ]
+
+  return safePatterns.some(pattern => pattern.test(str))
+}
+
+// Check if string is a PEM header/footer (not an actual secret)
+function isPEMHeader(str: string): boolean {
+  const pemPatterns = [
+    /^-{3,}BEGIN\s+(PRIVATE|PUBLIC|RSA|DSA|EC|ENCRYPTED|CERTIFICATE)/i,
+    /^-{3,}END\s+(PRIVATE|PUBLIC|RSA|DSA|EC|ENCRYPTED|CERTIFICATE)/i,
+    /-----BEGIN\s+\w+\s+KEY-----/i,
+    /-----END\s+\w+\s+KEY-----/i,
+  ]
+  return pemPatterns.some(p => p.test(str))
+}
+
+// Check if string looks like encrypted/encoded content (not the key itself)
+function isEncryptedContent(str: string, lineContent: string): boolean {
+  // Patterns for encrypted content blocks (not the key)
+  const encryptedPatterns = [
+    /encrypted_content/i,
+    /ciphertext/i,
+    /encrypted_data/i,
+    /encrypted_value/i,
+    // Base64 encoded binary data (very long, uniform character set)
+    /^[A-Za-z0-9+/]{100,}={0,2}$/,  // Long base64 strings are often encrypted payloads
+  ]
+
+  // Check line context for encrypted content indicators
+  const contextIndicators = [
+    /["']encrypted_content["']\s*:/i,
+    /["']ciphertext["']\s*:/i,
+    /gAAAA/,  // Fernet encryption prefix
+  ]
+
+  return (
+    encryptedPatterns.some(p => p.test(str)) ||
+    contextIndicators.some(p => p.test(lineContent))
+  )
+}
+
+
+// Check if string looks like a JWT segment (base64url encoded, starts with eyJ)
+function isJWTSegment(str: string): boolean {
+  // JWT segments typically start with 'eyJ' (base64 for '{"')
+  // Full JWT format: header.payload.signature (all base64url)
+  if (str.startsWith('eyJ') && /^[A-Za-z0-9_-]+$/.test(str)) {
+    return true
+  }
+  // Check for full JWT pattern (3 dot-separated base64url segments)
+  if (/^eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/.test(str)) {
+    return true
+  }
+  return false
+}
+
+// Check if string looks like a regex/route matcher pattern
+function isRegexPattern(str: string): boolean {
+  // Common regex metacharacters and patterns
+  const regexIndicators = ['(?', '(?!', '(?:', '(?=', '\\.',  '\\.', '.*', '.+', '[^', '|', '$)', '^', '$']
+  const indicatorCount = regexIndicators.filter(ind => str.includes(ind)).length
+  
+  // If it has multiple regex indicators, it's likely a regex pattern
+  return indicatorCount >= 2
+}
+
+// Check if string is a template literal with code expressions
+function isTemplateWithCode(str: string, lineContent: string): boolean {
+  // Check if the line contains template literal syntax with expressions
+  if (!lineContent.includes('`') && !lineContent.includes('${')) {
+    return false
+  }
+  
+  // Common code patterns inside template literals that create high entropy
+  const codePatterns = [
+    /\$\{[^}]*\.(toString|padStart|padEnd|toFixed|toLocaleString)\s*\(/i,  // Method calls
+    /\$\{[^}]*\?\.[^}]*\}/,  // Optional chaining
+    /\$\{[^}]*\s*\?\s*[^:]+\s*:\s*[^}]+\}/,  // Ternary operators
+    /var\s*\(\s*\$\{/,  // CSS var() with template
+    /\$\{[^}]*\.find\s*\(/i,  // Array methods
+    /\$\{[^}]*\.map\s*\(/i,
+    /\$\{[^}]*\.filter\s*\(/i,
+    /\$\{new\s+Date\(\)/i,  // Date formatting
+  ]
+  
+  return codePatterns.some(pattern => pattern.test(lineContent))
+}
+
+// Check if string is human-readable text/markdown content
+function isHumanReadableContent(str: string): boolean {
+  // Skip short strings
+  if (str.length < 30) return false
+  
+  // Check for markdown indicators
+  const markdownIndicators = ['## ', '# ', '**', '- [ ]', '- ', '\n\n', '\\n']
+  const hasMarkdown = markdownIndicators.some(ind => str.includes(ind))
+  
+  // Check word-like pattern ratio (spaces between word-like tokens)
+  const words = str.split(/\s+/).filter(w => w.length > 0)
+  const wordLikeTokens = words.filter(w => /^[a-zA-Z][a-zA-Z0-9'-]*[:.!?,]?$/.test(w))
+  
+  // If more than 50% of tokens look like words, it's probably text
+  const wordRatio = words.length > 0 ? wordLikeTokens.length / words.length : 0
+  
+  return hasMarkdown || wordRatio > 0.5
+}
+
+// Check if string looks like a UI/display string (model names, descriptions, etc.)
+function isUIString(str: string, lineContent: string): boolean {
+  // Common UI string patterns
+  const uiPatterns = [
+    /['"`].*Claude.*['"`]/i,
+    /['"`].*GPT.*['"`]/i,
+    /['"`].*Sonnet.*['"`]/i,
+    /['"`].*for\s+(chat|embeddings|completion).*['"`]/i,
+    /['"`]Uses\s+/i,
+    /['"`]Note:\s*/i,
+    /placeholder['"`:]/i,
+    /description['"`:]/i,
+    /label['"`:]/i,
+    /title['"`:]/i,
+    /message['"`:]/i,
+    /tooltip['"`:]/i,
+  ]
+
+  return uiPatterns.some(pattern => pattern.test(lineContent))
+}
+
+// Check if string is in a React/JSX UI context (component props, JSX text)
+function isJSXUIContext(lineContent: string): boolean {
+  // JSX patterns that indicate UI context
+  const jsxUIPatterns = [
+    // Component props (common UI props)
+    /\b(placeholder|title|label|message|description|tooltip|alt|aria-label|name|id|className|testId|data-testid)\s*=\s*['"`]/i,
+    // JSX text children (text between tags)
+    />\s*['"`][^<]*['"`]\s*</,
+    // Common UI component names
+    /<(Button|Text|Label|Title|Heading|Paragraph|Span|Input|Tooltip|Badge|Alert|Toast)/i,
+    // Return statement with JSX template literal
+    /return\s+`[^`]*\$\{/,
+    // Template literals used for display
+    /['"`]Synced\s+/i,
+    /['"`]\d+\s*(h|hr|hour|m|min|minute|s|sec|second)s?\s+ago['"`]/i,
+    // Display formatting patterns
+    /\.toLocaleString\s*\(|\.toFixed\s*\(|\.padStart\s*\(/,
+  ]
+
+  return jsxUIPatterns.some(pattern => pattern.test(lineContent))
+}
+
+// Check if string is natural language (high ratio of common English words)
+function isNaturalLanguage(str: string): boolean {
+  // Skip short strings
+  if (str.length < 25) return false
+
+  // Common English words that appear in natural language
+  const commonWords = new Set([
+    'the', 'a', 'an', 'is', 'are', 'was', 'were', 'be', 'been', 'being',
+    'have', 'has', 'had', 'do', 'does', 'did', 'will', 'would', 'could',
+    'should', 'may', 'might', 'must', 'shall', 'can', 'need', 'to', 'of',
+    'in', 'for', 'on', 'with', 'at', 'by', 'from', 'up', 'about', 'into',
+    'through', 'during', 'before', 'after', 'above', 'below', 'between',
+    'under', 'again', 'further', 'then', 'once', 'here', 'there', 'when',
+    'where', 'why', 'how', 'all', 'each', 'few', 'more', 'most', 'other',
+    'some', 'such', 'no', 'nor', 'not', 'only', 'own', 'same', 'so', 'than',
+    'too', 'very', 'just', 'also', 'now', 'and', 'but', 'or', 'if', 'as',
+    'your', 'you', 'this', 'that', 'it', 'they', 'we', 'he', 'she', 'my',
+    'their', 'our', 'his', 'her', 'its', 'ago', 'synced', 'updated', 'created',
+  ])
+
+  // Split into words and count common ones
+  const words = str.toLowerCase().split(/\s+/).filter(w => w.length > 1)
+  if (words.length < 3) return false
+
+  const commonWordCount = words.filter(w => commonWords.has(w.replace(/[^a-z]/g, ''))).length
+  const commonWordRatio = commonWordCount / words.length
+
+  // If more than 30% of words are common English words, it's likely natural language
+  return commonWordRatio > 0.3
+}
+
+// Check if string looks like CSS/Tailwind classes
+function isCSSClasses(str: string): boolean {
+  // Tailwind/CSS class patterns
+  const cssIndicators = [
+    'flex', 'grid', 'block', 'inline', 'hidden',
+    'items-', 'justify-', 'gap-', 'space-',
+    'text-', 'font-', 'bg-', 'border-', 'rounded',
+    'px-', 'py-', 'pt-', 'pb-', 'pl-', 'pr-', 'p-',
+    'mx-', 'my-', 'mt-', 'mb-', 'ml-', 'mr-', 'm-',
+    'w-', 'h-', 'min-', 'max-',
+    'hover:', 'focus:', 'active:', 'disabled:',
+    'sm:', 'md:', 'lg:', 'xl:', '2xl:',
+    'dark:', 'light:',
+    'transition', 'duration-', 'ease-',
+    'absolute', 'relative', 'fixed', 'sticky',
+    'top-', 'bottom-', 'left-', 'right-',
+    'z-', 'overflow-', 'opacity-',
+    'ring-', 'shadow-', 'outline-',
+  ]
+
+  // Count how many CSS-like tokens are in the string
+  const tokens = str.toLowerCase().split(/\s+/)
+  const cssTokenCount = tokens.filter(token => 
+    cssIndicators.some(indicator => token.includes(indicator))
+  ).length
+
+  // If more than 30% of tokens look like CSS classes, it's probably CSS
+  return cssTokenCount > 0 && (cssTokenCount / tokens.length) > 0.3
+}
+
+// Check if string looks like CSS-in-JS (styled-components, emotion, etc.)
+function isCSSInJS(lineContent: string): boolean {
+  const cssInJSPatterns = [
+    /styled\./,                           // styled.div, styled.button
+    /styled\(/,                           // styled(Component)
+    /css`/,                               // css`` template literal
+    /keyframes`/,                         // keyframes`` template literal
+    /@emotion/,                           // @emotion imports
+    /createGlobalStyle/,                  // styled-components global
+    /\$\{\s*props\s*=>/,                  // ${props => ...} in styled
+    /\$\{\s*\(\s*\{/,                     // ${({ theme }) => ...}
+  ]
+  return cssInJSPatterns.some(p => p.test(lineContent))
+}
+
+// Check if file is documentation/README
+function isDocumentationFile(filePath: string): boolean {
+  const docPatterns = [
+    /README/i,
+    /CHANGELOG/i,
+    /CONTRIBUTING/i,
+    /LICENSE/i,
+    /CODE_OF_CONDUCT/i,
+    /SECURITY/i,
+    /AUTHORS/i,
+    /HISTORY/i,
+    /\.md$/i,
+    /\.mdx$/i,
+    /\.rst$/i,        // reStructuredText
+    /\.adoc$/i,       // AsciiDoc
+    /\.txt$/i,        // Plain text docs
+    /\/docs\//i,
+    /\/documentation\//i,
+    /\/wiki\//i,
+    /\/guides?\//i,
+    /\/tutorials?\//i,
+    /\/examples?\//i,  // Example directories often have sample configs
+  ]
+  return docPatterns.some(p => p.test(filePath))
+}
+
+// Check if string is a console.log/debug statement content
+function isDebugLogContent(lineContent: string): boolean {
+  const debugPatterns = [
+    /console\.(log|debug|info|warn|error)\s*\(/i,
+    /logger\.(log|debug|info|warn|error)\s*\(/i,
+    /\[.*Debug.*\]/i,
+    /\[.*Log.*\]/i,
+  ]
+  return debugPatterns.some(pattern => pattern.test(lineContent))
+}
+
+
+// Check if string is inline style (JSX or HTML)
+function isInlineStyle(lineContent: string): boolean {
+  // JSX inline styles
+  const jsxStylePatterns = [
+    /style\s*=\s*\{\{/,                    // style={{...}}
+    /style\s*=\s*\{[^}]*:/,                // style={{ color: ... }}
+    /className\s*=\s*["`'][^"`']*gradient/i, // gradient classes
+    /className\s*=\s*["`'][^"`']*bg-/i,     // bg- classes
+  ]
+
+  // HTML inline styles
+  const htmlStylePatterns = [
+    /style\s*=\s*["'][^"']*:/,             // style="color: ..."
+    /<style[^>]*>/i,                        // <style> tags
+    /background:\s*linear-gradient/i,       // CSS gradients
+    /background:\s*radial-gradient/i,       // Radial gradients
+  ]
+
+  return [...jsxStylePatterns, ...htmlStylePatterns].some(p => p.test(lineContent))
+}
+
+// Check if string contains CSS tokens (colors, units, functions)
+function hasCSSTokens(str: string): boolean {
+  const cssTokens = [
+    // CSS units
+    /\d+px\b/, /\d+%\b/, /\d+em\b/, /\d+rem\b/, /\d+deg\b/, /\d+vh\b/, /\d+vw\b/,
+
+    // Hex colors (standalone or in context)
+    /#[0-9a-f]{3,8}\b/i,
+
+    // CSS color functions
+    /rgb\s*\(/, /rgba\s*\(/, /hsl\s*\(/, /hsla\s*\(/,
+    /oklab\s*\(/, /oklch\s*\(/, /lab\s*\(/, /lch\s*\(/,  // Modern color functions
+
+    // CSS gradients (all types)
+    /linear-gradient/, /radial-gradient/, /conic-gradient/,
+    /repeating-linear-gradient/, /repeating-radial-gradient/,
+
+    // Gradient direction keywords (Tailwind-style)
+    /\bfrom-/, /\bto-/, /\bvia-/,
+
+    // CSS custom properties
+    /var\s*\(--/,
+
+    // Common CSS properties
+    /\bopacity\s*:\s*[\d.]+/,
+    /\btransform\s*:/,
+    /\btransition\s*:/,
+    /\banimation\s*:/,
+
+    // Box shadow patterns
+    /\bshadow-/, /box-shadow/,
+    /\d+px\s+\d+px\s+\d+px/,  // Shadow offset pattern
+
+    // Color stops in gradients
+    /\b\d+%\s*(,|$)/,  // Percentage color stops
+  ]
+
+  // Single strong indicators (only need 1 match)
+  const strongIndicators = [
+    /^#[0-9a-f]{6}$/i,           // Standalone 6-digit hex color
+    /^#[0-9a-f]{8}$/i,           // Standalone 8-digit hex color with alpha
+    /linear-gradient\s*\(/,      // Gradient function
+    /radial-gradient\s*\(/,
+    /conic-gradient\s*\(/,
+    /rgba?\s*\(\s*\d/,           // rgb/rgba with numbers
+    /hsla?\s*\(\s*\d/,           // hsl/hsla with numbers
+  ]
+
+  // If any strong indicator matches, it's definitely CSS
+  if (strongIndicators.some(pattern => pattern.test(str))) {
+    return true
+  }
+
+  // Must match at least 2 CSS indicators to be confident it's CSS
+  const tokenCount = cssTokens.filter(pattern => pattern.test(str)).length
+  return tokenCount >= 2
+}
+
+// Check if value/line contains environment variable placeholders (shell scripts, test files)
+function isEnvVarPlaceholder(lineContent: string, value: string): boolean {
+  // Shell script patterns
+  const shellEnvPatterns = [
+    /\$[A-Z_][A-Z0-9_]*/,              // $VAR_NAME
+    /\$\{[A-Z_][A-Z0-9_]*\}/,          // ${VAR_NAME}
+    /\bexport\s+[A-Z_][A-Z0-9_]*=["']?\$/,  // export VAR=$OTHER
+    /:\s*\$\{[A-Z_][A-Z0-9_]*:-/,      // ${VAR:-default}
+  ]
+
+  // Test file env var patterns (common placeholder names)
+  const testEnvPatterns = [
+    /FREE_KEY|PRO_KEY|ULTRA_KEY|TEST_KEY/i,
+    /BASE_URL|API_URL|ENDPOINT_URL/i,
+    /YOUR_[A-Z_]*KEY|REPLACE_[A-Z_]*KEY/i,
+    /\$\{?\w+\}?_KEY|\$\{?\w+\}?_TOKEN/i,  // $SOME_KEY, ${SOME_TOKEN}
+  ]
+
+  return (
+    shellEnvPatterns.some(p => p.test(lineContent)) ||
+    testEnvPatterns.some(p => p.test(value)) ||
+    testEnvPatterns.some(p => p.test(lineContent))
+  )
+}
+
+export function detectHighEntropyStrings(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  // Skip scanner/fixture files to avoid self-detection
+  if (isScannerOrFixtureFile(filePath)) {
+    return vulnerabilities
+  }
+
+  // Skip fixture files (__fixtures__, .fixture., mock-data, etc.)
+  if (isFixtureFile(filePath)) {
+    return vulnerabilities
+  }
+
+  // Skip example files
+  if (isExampleFile(filePath)) {
+    return vulnerabilities
+  }
+
+  // Skip example directories (/examples/, /demos/, /tutorials/, etc.)
+  if (isExampleDirectory(filePath)) {
+    return vulnerabilities
+  }
+
+  // Skip documentation/README files
+  if (isDocumentationFile(filePath)) {
+    return vulnerabilities
+  }
+
+  const strings = extractStringLiterals(content)
+
+  for (const { value, line, lineContent } of strings) {
+    // Skip comments
+    if (isComment(lineContent)) continue
+
+    // Skip PEM headers/footers (they look high-entropy but aren't secrets)
+    if (isPEMHeader(value)) continue
+
+    // Skip encrypted content blocks (the payload, not the key)
+    if (isEncryptedContent(value, lineContent)) continue
+
+    // Skip JWT segments (handled by patterns.ts for specific detection)
+    if (isJWTSegment(value)) continue
+
+    // Skip inline styles (CSS/JSX style={{...}} or style="...")
+    if (isInlineStyle(lineContent)) continue
+
+    // Skip strings with CSS tokens (colors, gradients, units)
+    if (hasCSSTokens(value)) continue
+
+    // Skip environment variable placeholders (shell scripts, test files)
+    if (isEnvVarPlaceholder(lineContent, value)) continue
+
+    // Skip safe patterns
+    if (isSafePattern(value)) continue
+
+    // Skip CSS/Tailwind class strings
+    if (isCSSClasses(value)) continue
+
+    // Skip CSS-in-JS patterns (styled-components, emotion)
+    if (isCSSInJS(lineContent)) continue
+
+    // Skip debug log statements (they often contain env var names which look high-entropy)
+    if (isDebugLogContent(lineContent)) continue
+
+    // Skip regex/route matcher patterns
+    if (isRegexPattern(value)) continue
+
+    // Skip template literals with code expressions (they look high-entropy but aren't secrets)
+    if (isTemplateWithCode(value, lineContent)) continue
+
+    // Skip human-readable text/markdown content
+    if (isHumanReadableContent(value)) continue
+
+    // Skip UI strings (model names, descriptions, etc.)
+    if (isUIString(value, lineContent)) continue
+
+    // Skip JSX UI context (component props, JSX text - like "Synced ${hours}h ago")
+    if (isJSXUIContext(lineContent)) continue
+
+    // Skip natural language strings (high ratio of common English words)
+    if (isNaturalLanguage(value)) continue
+
+    // Calculate entropy
+    const entropy = calculateEntropy(value)
+
+    // Determine if this is a test file (lower severity)
+    const inTestFile = isTestOrMockFile(filePath)
+
+    // Two thresholds:
+    // - entropy > 4.5 for strings > 20 chars (standard)
+    // - entropy > 4.2 for strings 16-20 chars (slightly stricter to reduce FPs)
+    const meetsThreshold =
+      (entropy > 4.5 && value.length > 20) ||
+      (entropy > 4.2 && value.length >= 16 && value.length <= 20)
+
+    if (meetsThreshold) {
+      // Additional check: should have mix of character types
+      const hasLower = /[a-z]/.test(value)
+      const hasUpper = /[A-Z]/.test(value)
+      const hasDigit = /[0-9]/.test(value)
+      const hasSpecial = /[^a-zA-Z0-9]/.test(value)
+      const charTypes = [hasLower, hasUpper, hasDigit, hasSpecial].filter(Boolean).length
+
+      // Only flag if it has at least 2 character types (looks like a secret)
+      if (charTypes >= 2) {
+        // Final check: skip CSS-like strings that passed earlier filters
+        const looksLikeCSS = /gradient|rgba?|hsla?|#[0-9a-f]{3,8}/i.test(value)
+        if (looksLikeCSS) continue
+        // Lower severity for test files
+        const baseSeverity = entropy > 5.0 ? 'high' : 'medium'
+        const severity = inTestFile ? 'low' : baseSeverity
+        const confidence = inTestFile ? 'low' : (entropy > 5.0 ? 'high' : 'medium')
+
+        vulnerabilities.push({
+          id: `entropy-${filePath}-${line}`,
+          filePath,
+          lineNumber: line,
+          lineContent,
+          severity,
+          category: 'high_entropy_string',
+          title: 'Potential hardcoded secret detected',
+          description: `High-entropy string found (entropy: ${entropy.toFixed(2)}). This may be a hardcoded secret, API key, or password.${inTestFile ? ' (in test file)' : ''}`,
+          suggestedFix: 'Move this value to an environment variable and access it via process.env',
+          confidence,
+          layer: 1,
+          requiresAIValidation: true,  // Entropy findings must be validated by AI
+        })
+      }
+    }
+  }
+
+  return vulnerabilities
+}