npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/src/layer2/risky-imports.ts ADDED Viewed

@@ -0,0 +1,186 @@
+/**
+ * Layer 2: Risky Import/Package Analysis
+ * Detects imports of packages known to have security concerns or deprecated
+ */
+import type { Vulnerability, VulnerabilitySeverity } from '../types'
+interface RiskyPackage {
+  name: string
+  pattern: RegExp
+  severity: VulnerabilitySeverity
+  description: string
+  suggestedFix: string
+}
+const RISKY_PACKAGES: RiskyPackage[] = [
+  // Known vulnerable or deprecated packages
+  {
+    name: 'request (deprecated)',
+    pattern: /require\s*\(\s*['"]request['"]\s*\)|from\s+['"]request['"]/gi,
+    severity: 'medium',
+    description: 'The "request" package is deprecated and no longer maintained',
+    suggestedFix: 'Migrate to fetch, axios, or node-fetch',
+  },
+  {
+    name: 'node-uuid (deprecated)',
+    pattern: /require\s*\(\s*['"]node-uuid['"]\s*\)|from\s+['"]node-uuid['"]/gi,
+    severity: 'low',
+    description: 'node-uuid is deprecated in favor of uuid package',
+    suggestedFix: 'Use the "uuid" package instead',
+  },
+  // Packages with known security issues
+  {
+    name: 'lodash (full import)',
+    pattern: /require\s*\(\s*['"]lodash['"]\s*\)|import\s+\*?\s*(?:as\s+)?\w+\s+from\s+['"]lodash['"]/gi,
+    severity: 'low',
+    description: 'Full lodash import increases bundle size and attack surface',
+    suggestedFix: 'Import specific functions: import get from "lodash/get"',
+  },
+  {
+    name: 'moment.js (deprecated)',
+    pattern: /require\s*\(\s*['"]moment['"]\s*\)|from\s+['"]moment['"]/gi,
+    severity: 'low',
+    description: 'Moment.js is in maintenance mode, consider alternatives',
+    suggestedFix: 'Use date-fns, dayjs, or native Intl APIs',
+  },
+  // Security-focused sandbox packages - info only (these are used for security, not risky)
+  {
+    name: 'vm2 (sandbox)',
+    pattern: /require\s*\(\s*['"]vm2['"]\s*\)|from\s+['"]vm2['"]/gi,
+    severity: 'info',
+    description: 'vm2 is a sandboxing library. While it has had sandbox escape vulnerabilities historically, using it is generally safer than running untrusted code directly. Keep vm2 updated.',
+    suggestedFix: 'Keep vm2 updated to the latest version. For maximum isolation, consider isolated-vm or running in a separate process.',
+  },
+  {
+    name: 'serialize-javascript (RCE risk)',
+    pattern: /require\s*\(\s*['"]serialize-javascript['"]\s*\)|from\s+['"]serialize-javascript['"]/gi,
+    severity: 'medium',
+    description: 'serialize-javascript can be dangerous if output is not properly handled',
+    suggestedFix: 'Ensure serialized output is not directly executed or use JSON.stringify',
+  },
+  // Crypto-related risky imports
+  {
+    name: 'crypto-js (outdated patterns)',
+    pattern: /require\s*\(\s*['"]crypto-js['"]\s*\)|from\s+['"]crypto-js['"]/gi,
+    severity: 'low',
+    description: 'crypto-js may use outdated crypto patterns',
+    suggestedFix: 'Prefer Node.js built-in crypto module or Web Crypto API',
+  },
+  {
+    name: 'bcrypt-nodejs (deprecated)',
+    pattern: /require\s*\(\s*['"]bcrypt-nodejs['"]\s*\)|from\s+['"]bcrypt-nodejs['"]/gi,
+    severity: 'medium',
+    description: 'bcrypt-nodejs is deprecated and unmaintained',
+    suggestedFix: 'Use bcrypt or bcryptjs instead',
+  },
+  // SQL/Database risky patterns
+  {
+    name: 'mysql (prefer mysql2)',
+    pattern: /require\s*\(\s*['"]mysql['"]\s*\)|from\s+['"]mysql['"]/gi,
+    severity: 'low',
+    description: 'mysql package is less maintained than mysql2',
+    suggestedFix: 'Consider using mysql2 for better security and performance',
+  },
+  // Python risky imports
+  {
+    name: 'pickle (unsafe deserialization)',
+    pattern: /^import\s+pickle|^from\s+pickle\s+import/gim,
+    severity: 'high',
+    description: 'pickle can execute arbitrary code during deserialization',
+    suggestedFix: 'Use JSON or other safe serialization formats for untrusted data',
+  },
+  {
+    name: 'yaml unsafe load',
+    pattern: /yaml\.load\s*\([^)]*\)(?!.*Loader)/gi,
+    severity: 'high',
+    description: 'yaml.load without Loader parameter can execute arbitrary code',
+    suggestedFix: 'Use yaml.safe_load() or specify Loader=yaml.SafeLoader',
+  },
+  {
+    name: 'subprocess shell=True',
+    pattern: /subprocess\.(call|run|Popen|check_output)\s*\([^)]*shell\s*=\s*True/gi,
+    severity: 'high',
+    description: 'subprocess with shell=True is vulnerable to shell injection',
+    suggestedFix: 'Use shell=False and pass arguments as a list',
+  },
+  // Telemetry/tracking packages (privacy concern)
+  {
+    name: 'Analytics package',
+    pattern: /require\s*\(\s*['"](analytics|segment|mixpanel|amplitude)['"]\s*\)|from\s+['"](analytics|segment|mixpanel|amplitude)['"]/gi,
+    severity: 'low',
+    description: 'Analytics package detected - ensure user consent is obtained',
+    suggestedFix: 'Implement proper consent mechanisms for user tracking',
+  },
+  // Outdated/vulnerable web frameworks
+  {
+    name: 'express-jwt (CVE history)',
+    pattern: /require\s*\(\s*['"]express-jwt['"]\s*\)|from\s+['"]express-jwt['"]/gi,
+    severity: 'medium',
+    description: 'express-jwt has had security vulnerabilities - ensure latest version',
+    suggestedFix: 'Update to latest version and consider jose or jsonwebtoken directly',
+  },
+  // Dangerous native modules
+  {
+    name: 'node-gyp native module',
+    pattern: /require\s*\(\s*['"]node-gyp['"]\s*\)|from\s+['"]node-gyp['"]/gi,
+    severity: 'low',
+    description: 'Native modules can introduce platform-specific vulnerabilities',
+    suggestedFix: 'Audit native dependencies and keep them updated',
+  },
+]
+// Check if line is a comment
+function isComment(line: string): boolean {
+  const trimmed = line.trim()
+  return (
+    trimmed.startsWith('//') ||
+    trimmed.startsWith('#') ||
+    trimmed.startsWith('*') ||
+    trimmed.startsWith('/*')
+  )
+}
+export function detectRiskyImports(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+  const lines = content.split('\n')
+  lines.forEach((line, index) => {
+    // Skip comment lines
+    if (isComment(line)) return
+    for (const pkg of RISKY_PACKAGES) {
+      const regex = new RegExp(pkg.pattern.source, pkg.pattern.flags)
+      if (regex.test(line)) {
+        vulnerabilities.push({
+          id: `risky-import-${filePath}-${index + 1}-${pkg.name}`,
+          filePath,
+          lineNumber: index + 1,
+          lineContent: line.trim(),
+          severity: pkg.severity,
+          category: 'suspicious_package',
+          title: `Risky package: ${pkg.name}`,
+          description: pkg.description,
+          suggestedFix: pkg.suggestedFix,
+          confidence: 'high',
+          layer: 2,
+        })
+        break // Only report once per line
+      }
+    }
+  })
+  return vulnerabilities
+}

package/src/layer2/variables.ts ADDED Viewed

@@ -0,0 +1,166 @@
+/**
+ * Layer 2: Variable Heuristics
+ * Identifies variable names associated with sensitive data
+ */
+import type { Vulnerability, SensitiveVariablePattern } from '../types'
+// Patterns for sensitive variable names
+export const SENSITIVE_VARIABLE_PATTERNS: SensitiveVariablePattern[] = [
+  // Password-related
+  {
+    pattern: /\b(password|passwd|pwd|pass)\s*[=:]/gi,
+    severity: 'high',
+    description: 'Variable name suggests password storage',
+  },
+  {
+    pattern: /\b(user_?password|admin_?password|db_?password|database_?password)\s*[=:]/gi,
+    severity: 'critical',
+    description: 'Variable name suggests database/admin password',
+  },
+  // Token-related
+  {
+    pattern: /\b(auth_?token|access_?token|refresh_?token|bearer_?token)\s*[=:]/gi,
+    severity: 'high',
+    description: 'Variable name suggests authentication token',
+  },
+  {
+    pattern: /\b(api_?token|api_?key|apikey)\s*[=:]/gi,
+    severity: 'high',
+    description: 'Variable name suggests API key/token',
+  },
+  // Secret-related
+  {
+    pattern: /\b(secret|secret_?key|private_?key|signing_?key)\s*[=:]/gi,
+    severity: 'high',
+    description: 'Variable name suggests secret/private key',
+  },
+  {
+    pattern: /\b(client_?secret|app_?secret|jwt_?secret)\s*[=:]/gi,
+    severity: 'critical',
+    description: 'Variable name suggests application secret',
+  },
+  // Credential-related
+  {
+    pattern: /\b(credential|credentials|creds)\s*[=:]/gi,
+    severity: 'high',
+    description: 'Variable name suggests credentials',
+  },
+  // Connection strings
+  {
+    pattern: /\b(connection_?string|conn_?string|database_?url|db_?url)\s*[=:]/gi,
+    severity: 'high',
+    description: 'Variable name suggests database connection string',
+  },
+  // Encryption keys
+  {
+    pattern: /\b(encryption_?key|decrypt_?key|cipher_?key|aes_?key)\s*[=:]/gi,
+    severity: 'critical',
+    description: 'Variable name suggests encryption key',
+  },
+  // SSH/Certificate
+  {
+    pattern: /\b(ssh_?key|private_?key|cert_?key|ssl_?key)\s*[=:]/gi,
+    severity: 'critical',
+    description: 'Variable name suggests SSH/SSL key',
+  },
+]
+// Check if the value looks like a placeholder or env var reference
+function isPlaceholderOrEnvRef(line: string): boolean {
+  const safePatterns = [
+    /[=:]\s*['"]?\s*$/,                    // Empty value
+    /[=:]\s*['"]?xxx/i,                    // xxx placeholder
+    /[=:]\s*['"]?your[-_]/i,               // your-xxx placeholder
+    /[=:]\s*['"]?<[^>]+>/,                 // <placeholder>
+    /[=:]\s*['"]?\$\{/,                    // ${VAR} template
+    /[=:]\s*['"]?process\.env/,            // process.env reference
+    /[=:]\s*['"]?env\(/,                   // env() function
+    /[=:]\s*['"]?getenv/i,                 // getenv function
+    /[=:]\s*['"]?os\.environ/,             // Python os.environ
+    /[=:]\s*['"]?ENV\[/,                   // Ruby ENV
+    /[=:]\s*null\b/i,                      // null value
+    /[=:]\s*undefined\b/,                  // undefined value
+    /[=:]\s*None\b/,                       // Python None
+    /[=:]\s*['"]?TODO/i,                   // TODO placeholder
+    /[=:]\s*['"]?CHANGEME/i,               // CHANGEME placeholder
+    /[=:]\s*['"]?REPLACE/i,                // REPLACE placeholder
+    /\?\s*.*\s*:\s*/,                      // Ternary operator (conditional assignment)
+    /\|\|/,                                // OR fallback (e.g., ENV_VAR || '')
+    /\?\?/,                                // Nullish coalescing
+    /[A-Z_]{3,}_(?:KEY|TOKEN|SECRET)/,     // References to env var constants
+  ]
+  return safePatterns.some(pattern => pattern.test(line))
+}
+// Check if line is a comment
+function isComment(line: string): boolean {
+  const trimmed = line.trim()
+  return (
+    trimmed.startsWith('//') ||
+    trimmed.startsWith('#') ||
+    trimmed.startsWith('*') ||
+    trimmed.startsWith('/*') ||
+    trimmed.startsWith('"""') ||
+    trimmed.startsWith("'''") ||
+    trimmed.startsWith('<!--')
+  )
+}
+// Check if it's a type definition or interface
+function isTypeDefinition(line: string): boolean {
+  return (
+    /^\s*(type|interface|class)\s/.test(line) ||
+    /:\s*(string|number|boolean|any)\s*[;,}]/.test(line) ||
+    /\?\s*:\s*\w+/.test(line)
+  )
+}
+export function detectSensitiveVariables(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+  const lines = content.split('\n')
+  lines.forEach((line, index) => {
+    // Skip comments
+    if (isComment(line)) return
+    // Skip type definitions
+    if (isTypeDefinition(line)) return
+    // Skip if it's a placeholder/env reference
+    if (isPlaceholderOrEnvRef(line)) return
+    for (const pattern of SENSITIVE_VARIABLE_PATTERNS) {
+      const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+      if (regex.test(line)) {
+        // Extract the actual value to check if it's hardcoded
+        const valueMatch = line.match(/[=:]\s*['"]([^'"]+)['"]/i)
+        if (valueMatch && valueMatch[1].length > 3) {
+          // Has a non-trivial hardcoded value
+          vulnerabilities.push({
+            id: `var-${filePath}-${index + 1}`,
+            filePath,
+            lineNumber: index + 1,
+            lineContent: line.trim(),
+            severity: pattern.severity,
+            category: 'sensitive_variable',
+            title: 'Sensitive variable with hardcoded value',
+            description: pattern.description + '. The value appears to be hardcoded rather than loaded from environment.',
+            suggestedFix: 'Move this sensitive value to an environment variable or secure secrets manager.',
+            confidence: 'medium',
+            layer: 2,
+          })
+        }
+        break // Only report once per line
+      }
+    }
+  })
+  return vulnerabilities
+}