@oculum/scanner 1.0.0

package/src/layer2/index.ts

@@ -0,0 +1,473 @@
+/**
+ * Layer 2: Structural Scan
+ * Contextual analysis using variable heuristics, logic gate detection,
+ * dangerous functions, risky imports, auth anti-patterns, framework checks,
+ * and AI code fingerprinting
+ */
+
+import type { Vulnerability, ScanFile } from '../types'
+import type { MiddlewareAuthConfig } from '../utils/middleware-detector'
+import { detectAuthHelpers, type AuthHelperContext } from '../utils/auth-helper-detector'
+import type { FileAuthImports } from '../utils/imported-auth-detector'
+import {
+  filterFindingsByPath,
+  type ExclusionConfig,
+} from '../utils/path-exclusions'
+import { detectSensitiveVariables } from './variables'
+import { detectLogicGates } from './logic-gates'
+import { detectDangerousFunctions } from './dangerous-functions'
+import { detectRiskyImports } from './risky-imports'
+import { detectAuthAntipatterns } from './auth-antipatterns'
+import { detectFrameworkIssues } from './framework-checks'
+import { detectAIFingerprints } from './ai-fingerprinting'
+import { detectDataExposure } from './data-exposure'
+import { detectBYOKPatterns } from './byok-patterns'
+// Story B: AI-specific detection modules
+import { detectAIPromptHygiene } from './ai-prompt-hygiene'
+import { detectAIExecutionSinks } from './ai-execution-sinks'
+import { detectAIAgentTools } from './ai-agent-tools'
+// M5: New AI-era detectors
+import { detectRAGSafetyIssues } from './ai-rag-safety'
+import { detectAIEndpointProtection } from './ai-endpoint-protection'
+import { detectAISchemaValidation } from './ai-schema-validation'
+// Tier system imports
+import {
+  type TierStats,
+  computeTierStats,
+  formatTierStats,
+  getLayer2DetectorTier,
+  type Layer2DetectorName,
+} from '../tiers'
+
+export interface Layer2Options {
+  middlewareConfig?: MiddlewareAuthConfig
+  authHelperContext?: AuthHelperContext
+  fileAuthImports?: Map<string, FileAuthImports>
+  /** Whether to exclude test files from scanning (default: true) */
+  excludeTestFiles?: boolean
+  /** Whether to exclude seed files from scanning (default: true) */
+  excludeSeedFiles?: boolean
+  /** Custom exclusion patterns (glob format) */
+  customExclusions?: string[]
+}
+
+export interface Layer2Stats {
+  /** Raw finding counts per detector (before dedupe) */
+  raw: Record<string, number>
+  /** Deduped finding counts per category */
+  deduped: Record<string, number>
+  /** Severity distribution of deduped findings */
+  bySeverity: Record<string, number>
+  /** Tier breakdown of deduped findings */
+  tiers: TierStats
+  /** Findings suppressed by path exclusions */
+  suppressedByPath: number
+}
+
+export interface Layer2Result {
+  vulnerabilities: Vulnerability[]
+  filesScanned: number
+  duration: number
+  /** Heuristic breakdown stats for noise analysis */
+  stats: Layer2Stats
+}
+
+export async function runLayer2Scan(
+  files: ScanFile[],
+  options: Layer2Options = {}
+): Promise<Layer2Result> {
+  const startTime = Date.now()
+  const vulnerabilities: Vulnerability[] = []
+  const stats = {
+    variables: 0,
+    logicGates: 0,
+    dangerousFunctions: 0,
+    riskyImports: 0,
+    authAntipatterns: 0,
+    frameworkIssues: 0,
+    aiFingerprints: 0,
+    dataExposure: 0,
+    byokPatterns: 0,
+    promptHygiene: 0,
+    executionSinks: 0,
+    agentTools: 0,
+    // M5: New AI-era detectors
+    ragSafety: 0,
+    endpointProtection: 0,
+    schemaValidation: 0,
+  }
+  
+  // Detect auth helpers once for all files (if not already provided)
+  const authHelperContext = options.authHelperContext || detectAuthHelpers(files)
+
+  for (const file of files) {
+    // Only scan code files for Layer 2 (skip configs, etc.)
+    if (isCodeFile(file.path)) {
+      // Existing scanners
+      const variableFindings = detectSensitiveVariables(file.content, file.path)
+      const logicFindings = detectLogicGates(file.content, file.path)
+      
+      // New Layer 2 scanners
+      const dangerousFuncFindings = detectDangerousFunctions(file.content, file.path)
+      const riskyImportFindings = detectRiskyImports(file.content, file.path)
+      const authFindings = detectAuthAntipatterns(file.content, file.path, {
+        middlewareConfig: options.middlewareConfig,
+        authHelpers: authHelperContext,
+        fileAuthImports: options.fileAuthImports,
+      })
+      const frameworkFindings = detectFrameworkIssues(file.content, file.path)
+      const aiFindings = detectAIFingerprints(file.content, file.path)
+      const dataExposureFindings = detectDataExposure(file.content, file.path)
+      const byokFindings = detectBYOKPatterns(file.content, file.path, options.middlewareConfig)
+
+      // Story B: AI-specific detection (prompt hygiene, execution sinks, agent tools)
+      const promptHygieneFindings = detectAIPromptHygiene(file.content, file.path)
+      const executionSinkFindings = detectAIExecutionSinks(file.content, file.path)
+      const agentToolFindings = detectAIAgentTools(file.content, file.path)
+
+      // M5: New AI-era detectors
+      const ragSafetyFindings = detectRAGSafetyIssues(file.content, file.path)
+      const endpointProtectionFindings = detectAIEndpointProtection(file.content, file.path, {
+        middlewareConfig: options.middlewareConfig,
+      })
+      const schemaValidationFindings = detectAISchemaValidation(file.content, file.path)
+
+      stats.variables += variableFindings.length
+      stats.logicGates += logicFindings.length
+      stats.dangerousFunctions += dangerousFuncFindings.length
+      stats.riskyImports += riskyImportFindings.length
+      stats.authAntipatterns += authFindings.length
+      stats.frameworkIssues += frameworkFindings.length
+      stats.aiFingerprints += aiFindings.length
+      stats.dataExposure += dataExposureFindings.length
+      stats.byokPatterns += byokFindings.length
+      stats.promptHygiene += promptHygieneFindings.length
+      stats.executionSinks += executionSinkFindings.length
+      stats.agentTools += agentToolFindings.length
+      stats.ragSafety += ragSafetyFindings.length
+      stats.endpointProtection += endpointProtectionFindings.length
+      stats.schemaValidation += schemaValidationFindings.length
+
+      vulnerabilities.push(
+        ...variableFindings,
+        ...logicFindings,
+        ...dangerousFuncFindings,
+        ...riskyImportFindings,
+        ...authFindings,
+        ...frameworkFindings,
+        ...aiFindings,
+        ...dataExposureFindings,
+        ...byokFindings,
+        ...promptHygieneFindings,
+        ...executionSinkFindings,
+        ...agentToolFindings,
+        ...ragSafetyFindings,
+        ...endpointProtectionFindings,
+        ...schemaValidationFindings
+      )
+    }
+  }
+
+  // Deduplicate findings
+  const dedupedVulnerabilities = deduplicateFindings(vulnerabilities)
+
+  // Apply path exclusions (test files, seed files, etc.)
+  // By default, exclude test and seed files unless explicitly disabled
+  const excludeTestFiles = options.excludeTestFiles !== false
+  const excludeSeedFiles = options.excludeSeedFiles !== false
+  
+  // Build exclusion config based on options
+  const exclusionConfig: Partial<ExclusionConfig> = {}
+  if (!excludeTestFiles) {
+    exclusionConfig.testPatterns = []
+  }
+  if (!excludeSeedFiles) {
+    exclusionConfig.seedPatterns = []
+  }
+  if (options.customExclusions) {
+    // Add custom exclusions to all pattern types
+    exclusionConfig.testPatterns = [
+      ...(exclusionConfig.testPatterns || []),
+      ...options.customExclusions,
+    ]
+  }
+
+  const { kept: uniqueVulnerabilities, suppressed } = filterFindingsByPath(
+    dedupedVulnerabilities,
+    Object.keys(exclusionConfig).length > 0 ? exclusionConfig : undefined
+  )
+
+  // Log suppressed findings
+  if (suppressed.length > 0) {
+    console.log(`[Layer 2] Suppressed ${suppressed.length} findings in test/seed/example files:`)
+    const byReason = new Map<string, number>()
+    for (const { reason } of suppressed) {
+      byReason.set(reason || 'unknown', (byReason.get(reason || 'unknown') || 0) + 1)
+    }
+    for (const [reason, count] of byReason) {
+      console.log(`  - ${reason}: ${count}`)
+    }
+  }
+
+  // Build raw stats map for logging
+  const rawStats: Record<string, number> = {
+    sensitive_variables: stats.variables,
+    logic_gates: stats.logicGates,
+    dangerous_functions: stats.dangerousFunctions,
+    risky_imports: stats.riskyImports,
+    auth_antipatterns: stats.authAntipatterns,
+    framework_issues: stats.frameworkIssues,
+    ai_fingerprints: stats.aiFingerprints,
+    data_exposure: stats.dataExposure,
+    byok_patterns: stats.byokPatterns,
+    ai_prompt_hygiene: stats.promptHygiene,
+    ai_execution_sinks: stats.executionSinks,
+    ai_agent_tools: stats.agentTools,
+    // M5: New AI-era detectors
+    ai_rag_safety: stats.ragSafety,
+    ai_endpoint_protection: stats.endpointProtection,
+    ai_schema_validation: stats.schemaValidation,
+  }
+
+  // Compute deduped counts per category
+  const dedupedStats: Record<string, number> = {}
+  for (const vuln of uniqueVulnerabilities) {
+    const cat = vuln.category
+    dedupedStats[cat] = (dedupedStats[cat] || 0) + 1
+  }
+
+  // Compute severity distribution
+  const severityStats: Record<string, number> = { critical: 0, high: 0, medium: 0, low: 0, info: 0 }
+  for (const vuln of uniqueVulnerabilities) {
+    severityStats[vuln.severity] = (severityStats[vuln.severity] || 0) + 1
+  }
+
+  // Compute tier breakdown (all Layer 2 findings have layer: 2)
+  const tierStats = computeTierStats(
+    uniqueVulnerabilities.map(v => ({ category: v.category, layer: 2 as const }))
+  )
+
+  // Map raw stats keys to detector names for tier lookup
+  const detectorNameMap: Record<string, Layer2DetectorName> = {
+    sensitive_variables: 'variables',
+    logic_gates: 'logic_gates',
+    dangerous_functions: 'dangerous_functions',
+    risky_imports: 'risky_imports',
+    auth_antipatterns: 'auth_antipatterns',
+    framework_issues: 'framework_checks',
+    ai_fingerprints: 'ai_fingerprinting',
+    data_exposure: 'data_exposure',
+    byok_patterns: 'byok_patterns',
+    ai_prompt_hygiene: 'ai_prompt_hygiene',
+    ai_execution_sinks: 'ai_execution_sinks',
+    ai_agent_tools: 'ai_agent_tools',
+    // M5: New AI-era detectors
+    ai_rag_safety: 'ai_rag_safety',
+    ai_endpoint_protection: 'ai_endpoint_protection',
+    ai_schema_validation: 'ai_schema_validation',
+  }
+
+  // Log heuristic breakdown (raw findings before dedupe) with tier info
+  console.log('[Layer 2] Heuristic breakdown (raw findings before dedupe):')
+  for (const [name, count] of Object.entries(rawStats)) {
+    if (count > 0) {
+      const detectorName = detectorNameMap[name]
+      const tier = detectorName ? getLayer2DetectorTier(detectorName) : 'unknown'
+      console.log(`  - ${name}: ${count} (${tier})`)
+    }
+  }
+  console.log(`[Layer 2] Tier breakdown (after dedupe): ${formatTierStats(tierStats)}`)
+
+  return {
+    vulnerabilities: uniqueVulnerabilities,
+    filesScanned: files.filter(f => isCodeFile(f.path)).length,
+    duration: Date.now() - startTime,
+    stats: {
+      raw: rawStats,
+      deduped: dedupedStats,
+      bySeverity: severityStats,
+      tiers: tierStats,
+      suppressedByPath: suppressed.length,
+    },
+  }
+}
+
+// Check if file is a code file (not config/data)
+function isCodeFile(filePath: string): boolean {
+  const codeExtensions = [
+    '.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs',
+    '.py', '.rb', '.php', '.go', '.java', '.cs',
+    '.rs', '.swift', '.kt', '.scala',
+  ]
+
+  return codeExtensions.some(ext => filePath.endsWith(ext))
+}
+
+// Remove duplicate findings on the same line and merge related findings
+function deduplicateFindings(vulnerabilities: Vulnerability[]): Vulnerability[] {
+  // First pass: exact deduplication by file:line:category
+  const seen = new Map<string, Vulnerability>()
+
+  for (const vuln of vulnerabilities) {
+    const key = `${vuln.filePath}:${vuln.lineNumber}:${vuln.category}`
+    const existing = seen.get(key)
+
+    // Keep the higher severity finding
+    if (!existing || severityRank(vuln.severity) > severityRank(existing.severity)) {
+      seen.set(key, vuln)
+    }
+  }
+
+  // Second pass: merge findings on adjacent lines (within 3 lines) with same category
+  const dedupedList = Array.from(seen.values())
+  const merged = mergeAdjacentFindings(dedupedList)
+
+  // Third pass: subsume related categories (e.g., specific finding subsumes generic)
+  return subsumeRelatedFindings(merged)
+}
+
+// Merge findings on adjacent lines with the same category
+function mergeAdjacentFindings(vulnerabilities: Vulnerability[]): Vulnerability[] {
+  if (vulnerabilities.length <= 1) return vulnerabilities
+
+  // Group by file and category
+  const groups = new Map<string, Vulnerability[]>()
+  for (const vuln of vulnerabilities) {
+    const key = `${vuln.filePath}:${vuln.category}`
+    const group = groups.get(key) || []
+    group.push(vuln)
+    groups.set(key, group)
+  }
+
+  const result: Vulnerability[] = []
+
+  for (const [, group] of groups) {
+    if (group.length === 1) {
+      result.push(group[0])
+      continue
+    }
+
+    // Sort by line number
+    group.sort((a, b) => a.lineNumber - b.lineNumber)
+
+    // Merge adjacent findings (within 3 lines)
+    let current = group[0]
+    let mergedCount = 1
+
+    for (let i = 1; i < group.length; i++) {
+      const next = group[i]
+      if (next.lineNumber - current.lineNumber <= 3) {
+        // Merge: keep higher severity, note the merge
+        mergedCount++
+        if (severityRank(next.severity) > severityRank(current.severity)) {
+          current = {
+            ...next,
+            title: current.title,
+            description: current.description,
+          }
+        }
+      } else {
+        // Not adjacent - emit current and start new
+        if (mergedCount > 1) {
+          current = {
+            ...current,
+            title: `${current.title} (${mergedCount} occurrences)`,
+          }
+        }
+        result.push(current)
+        current = next
+        mergedCount = 1
+      }
+    }
+
+    // Emit last
+    if (mergedCount > 1) {
+      current = {
+        ...current,
+        title: `${current.title} (${mergedCount} occurrences)`,
+      }
+    }
+    result.push(current)
+  }
+
+  return result
+}
+
+// Subsume related findings where a more specific finding covers a generic one
+function subsumeRelatedFindings(vulnerabilities: Vulnerability[]): Vulnerability[] {
+  // Define subsumption rules: specific category subsumes generic
+  const subsumptionRules: Record<string, string[]> = {
+    // SQL injection subsumes generic dangerous function
+    sql_injection: ['dangerous_function'],
+    // Command injection subsumes generic dangerous function
+    command_injection: ['dangerous_function'],
+    // XSS subsumes generic dangerous function
+    xss: ['dangerous_function'],
+    // Specific auth issues subsume generic missing auth
+    missing_auth: ['auth_antipattern'],
+  }
+
+  // Group by file and line
+  const byLocation = new Map<string, Vulnerability[]>()
+  for (const vuln of vulnerabilities) {
+    const key = `${vuln.filePath}:${vuln.lineNumber}`
+    const group = byLocation.get(key) || []
+    group.push(vuln)
+    byLocation.set(key, group)
+  }
+
+  const result: Vulnerability[] = []
+
+  for (const [, group] of byLocation) {
+    if (group.length === 1) {
+      result.push(group[0])
+      continue
+    }
+
+    // Check for subsumption
+    const toKeep = new Set(group)
+    for (const vuln of group) {
+      const subsumes = subsumptionRules[vuln.category]
+      if (subsumes) {
+        for (const other of group) {
+          if (subsumes.includes(other.category) && other !== vuln) {
+            toKeep.delete(other)
+          }
+        }
+      }
+    }
+
+    result.push(...toKeep)
+  }
+
+  return result
+}
+
+function severityRank(severity: string): number {
+  const ranks: Record<string, number> = {
+    critical: 4,
+    high: 3,
+    medium: 2,
+    low: 1,
+    info: 0,
+  }
+  return ranks[severity] || 0
+}
+
+export { detectSensitiveVariables } from './variables'
+export { detectLogicGates } from './logic-gates'
+export { detectDangerousFunctions } from './dangerous-functions'
+export { detectRiskyImports } from './risky-imports'
+export { detectAuthAntipatterns } from './auth-antipatterns'
+export { detectFrameworkIssues } from './framework-checks'
+export { detectAIFingerprints } from './ai-fingerprinting'
+export { detectDataExposure } from './data-exposure'
+export { detectBYOKPatterns } from './byok-patterns'
+// Story B: AI-specific detectors
+export { detectAIPromptHygiene } from './ai-prompt-hygiene'
+export { detectAIExecutionSinks } from './ai-execution-sinks'
+export { detectAIAgentTools } from './ai-agent-tools'
+// M5: New AI-era detectors
+export { detectRAGSafetyIssues } from './ai-rag-safety'
+export { detectAIEndpointProtection } from './ai-endpoint-protection'
+export { detectAISchemaValidation } from './ai-schema-validation'

package/src/layer2/logic-gates.ts

@@ -0,0 +1,206 @@
+/**
+ * Layer 2: Logic Gates Detection
+ * Identifies security bypass patterns and dangerous logic flows
+ */
+
+import type { Vulnerability } from '../types'
+
+interface LogicPattern {
+  name: string
+  pattern: RegExp
+  severity: 'critical' | 'high' | 'medium' | 'low'
+  description: string
+  suggestedFix: string
+}
+
+// Patterns for security bypass logic
+const LOGIC_PATTERNS: LogicPattern[] = [
+  // Development mode bypasses
+  {
+    name: 'Development mode security bypass',
+    pattern: /if\s*\(\s*process\.env\.NODE_ENV\s*[!=]==?\s*['"]production['"]\s*\)\s*(return\s+true|return\s*;|continue|break)/gi,
+    severity: 'high',
+    description: 'Security check bypassed in non-production environments',
+    suggestedFix: 'Remove development-only bypasses or ensure they cannot be triggered in production',
+  },
+  {
+    name: 'Development mode auth skip',
+    pattern: /if\s*\(\s*process\.env\.NODE_ENV\s*[!=]==?\s*['"]development['"]\s*\)/gi,
+    severity: 'medium',
+    description: 'Code path that only runs in development - verify no security implications',
+    suggestedFix: 'Ensure this development-only code does not bypass security controls',
+  },
+  // Auth bypasses
+  {
+    name: 'Authentication bypass pattern',
+    pattern: /if\s*\(\s*(true|1|!false)\s*\)\s*{\s*(return|next|resolve)/gi,
+    severity: 'critical',
+    description: 'Hardcoded truthy condition may bypass authentication',
+    suggestedFix: 'Remove hardcoded bypass and implement proper authentication check',
+  },
+  {
+    name: 'Commented auth check',
+    pattern: /\/\/\s*(if|await|return).*auth|\/\/.*verify.*token|\/\/.*check.*permission/gi,
+    severity: 'high',
+    description: 'Commented out authentication/authorization code detected',
+    suggestedFix: 'Remove commented code or restore the security check',
+  },
+  // Skip validation patterns
+  {
+    name: 'Validation skip',
+    pattern: /skipValidation\s*[=:]\s*true|validate\s*[=:]\s*false|noValidate\s*[=:]\s*true/gi,
+    severity: 'high',
+    description: 'Input validation explicitly disabled',
+    suggestedFix: 'Enable validation or ensure this is intentional and documented',
+  },
+  // Debug/test bypasses
+  {
+    name: 'Debug bypass',
+    pattern: /if\s*\(\s*(DEBUG|TEST|SKIP_AUTH|BYPASS|DISABLE_AUTH)\s*\)/gi,
+    severity: 'high',
+    description: 'Debug/test flag may bypass security controls',
+    suggestedFix: 'Remove debug bypasses before deploying to production',
+  },
+  // Unsafe defaults
+  {
+    name: 'Unsafe default allow',
+    pattern: /default\s*:\s*(return\s+true|allow|permit|grant)/gi,
+    severity: 'medium',
+    description: 'Default case allows access - should default to deny',
+    suggestedFix: 'Change default behavior to deny access (fail-safe defaults)',
+  },
+  // Empty catch blocks
+  {
+    name: 'Empty error handler',
+    pattern: /catch\s*\([^)]*\)\s*{\s*(\/\/.*)?}/gi,
+    severity: 'medium',
+    description: 'Empty catch block may hide security errors',
+    suggestedFix: 'Log the error or handle it appropriately',
+  },
+  // Disabled security features
+  {
+    name: 'Disabled CSRF protection',
+    pattern: /csrf\s*[=:]\s*false|disableCsrf|csrfProtection\s*[=:]\s*false/gi,
+    severity: 'high',
+    description: 'CSRF protection explicitly disabled',
+    suggestedFix: 'Enable CSRF protection for state-changing requests',
+  },
+  {
+    name: 'Disabled SSL verification',
+    pattern: /rejectUnauthorized\s*[=:]\s*false|verify\s*[=:]\s*false|ssl\s*[=:]\s*false|NODE_TLS_REJECT_UNAUTHORIZED/gi,
+    severity: 'critical',
+    description: 'SSL/TLS certificate verification disabled',
+    suggestedFix: 'Enable SSL verification to prevent man-in-the-middle attacks',
+  },
+  // Insecure comparisons
+  {
+    name: 'Timing attack vulnerable comparison',
+    pattern: /===?\s*['"][^'"]{20,}['"]|password\s*===?\s*|token\s*===?\s*|secret\s*===?\s*/gi,
+    severity: 'medium',
+    description: 'Direct string comparison may be vulnerable to timing attacks',
+    suggestedFix: 'Use constant-time comparison for secrets (e.g., crypto.timingSafeEqual)',
+  },
+  // Unsafe redirects
+  {
+    name: 'Open redirect vulnerability',
+    pattern: /redirect\s*\(\s*(req\.(query|params|body)\.|request\.|url\.)/gi,
+    severity: 'high',
+    description: 'Redirect URL from user input may allow open redirect attacks',
+    suggestedFix: 'Validate redirect URLs against an allowlist of trusted domains',
+  },
+  // Admin/superuser bypasses
+  {
+    name: 'Admin bypass pattern',
+    pattern: /if\s*\(\s*(isAdmin|isSuperUser|isRoot|role\s*===?\s*['"]admin['"])\s*\)\s*(return|continue|break)/gi,
+    severity: 'medium',
+    description: 'Admin role bypasses normal security checks',
+    suggestedFix: 'Ensure admin bypass is intentional and properly audited',
+  },
+]
+
+// Check if line is a comment
+function isComment(line: string): boolean {
+  const trimmed = line.trim()
+  return (
+    trimmed.startsWith('//') ||
+    trimmed.startsWith('#') ||
+    trimmed.startsWith('*') ||
+    trimmed.startsWith('/*')
+  )
+}
+
+export function detectLogicGates(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+  const lines = content.split('\n')
+
+  // Check each line against patterns
+  lines.forEach((line, index) => {
+    // Don't skip comments for the "commented auth check" pattern
+    const shouldSkipComments = !line.trim().startsWith('//')
+
+    for (const logicPattern of LOGIC_PATTERNS) {
+      // Skip comment lines for most patterns
+      if (shouldSkipComments && isComment(line) && 
+          logicPattern.name !== 'Commented auth check') {
+        continue
+      }
+
+      const regex = new RegExp(logicPattern.pattern.source, logicPattern.pattern.flags)
+      
+      if (regex.test(line)) {
+        vulnerabilities.push({
+          id: `logic-${filePath}-${index + 1}-${logicPattern.name}`,
+          filePath,
+          lineNumber: index + 1,
+          lineContent: line.trim(),
+          severity: logicPattern.severity,
+          category: 'security_bypass',
+          title: logicPattern.name,
+          description: logicPattern.description,
+          suggestedFix: logicPattern.suggestedFix,
+          confidence: 'medium',
+          layer: 2,
+        })
+        break // Only report once per line
+      }
+    }
+  })
+
+  // Multi-line pattern detection (for more complex patterns)
+  const multiLineFindings = detectMultiLinePatterns(content, filePath)
+  vulnerabilities.push(...multiLineFindings)
+
+  return vulnerabilities
+}
+
+// Detect patterns that span multiple lines
+function detectMultiLinePatterns(content: string, filePath: string): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+  const lines = content.split('\n')
+
+  // Detect try-catch with empty or minimal error handling
+  const tryCatchPattern = /try\s*{[\s\S]*?}\s*catch\s*\([^)]*\)\s*{\s*(\n\s*)*(\/\/[^\n]*)?\s*}/g
+  let match
+
+  while ((match = tryCatchPattern.exec(content)) !== null) {
+    const lineNumber = content.substring(0, match.index).split('\n').length
+    vulnerabilities.push({
+      id: `logic-multiline-${filePath}-${lineNumber}`,
+      filePath,
+      lineNumber,
+      lineContent: lines[lineNumber - 1]?.trim() || 'try {',
+      severity: 'medium',
+      category: 'security_bypass',
+      title: 'Silent error handling',
+      description: 'Try-catch block with minimal error handling may hide security issues',
+      suggestedFix: 'Log errors appropriately and handle them based on type',
+      confidence: 'low',
+      layer: 2,
+    })
+  }
+
+  return vulnerabilities
+}