@oculum/scanner 1.0.10 → 1.0.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/ai-context/index.d.ts +6 -0
- package/dist/ai-context/index.d.ts.map +1 -0
- package/dist/ai-context/index.js +13 -0
- package/dist/ai-context/index.js.map +1 -0
- package/dist/ai-context/manager.d.ts +67 -0
- package/dist/ai-context/manager.d.ts.map +1 -0
- package/dist/ai-context/manager.js +104 -0
- package/dist/ai-context/manager.js.map +1 -0
- package/dist/baseline/diff.d.ts +32 -0
- package/dist/baseline/diff.d.ts.map +1 -0
- package/dist/baseline/diff.js +119 -0
- package/dist/baseline/diff.js.map +1 -0
- package/dist/baseline/index.d.ts +9 -0
- package/dist/baseline/index.d.ts.map +1 -0
- package/dist/baseline/index.js +19 -0
- package/dist/baseline/index.js.map +1 -0
- package/dist/baseline/manager.d.ts +67 -0
- package/dist/baseline/manager.d.ts.map +1 -0
- package/dist/baseline/manager.js +180 -0
- package/dist/baseline/manager.js.map +1 -0
- package/dist/baseline/types.d.ts +91 -0
- package/dist/baseline/types.d.ts.map +1 -0
- package/dist/baseline/types.js +12 -0
- package/dist/baseline/types.js.map +1 -0
- package/dist/category-filter.d.ts +125 -0
- package/dist/category-filter.d.ts.map +1 -0
- package/dist/category-filter.js +360 -0
- package/dist/category-filter.js.map +1 -0
- package/dist/filtering/context-adjustments.d.ts +23 -0
- package/dist/filtering/context-adjustments.d.ts.map +1 -0
- package/dist/filtering/context-adjustments.js +100 -0
- package/dist/filtering/context-adjustments.js.map +1 -0
- package/dist/filtering/index.d.ts +3 -0
- package/dist/filtering/index.d.ts.map +1 -0
- package/dist/filtering/index.js +8 -0
- package/dist/filtering/index.js.map +1 -0
- package/dist/filtering/pipeline.d.ts +48 -0
- package/dist/filtering/pipeline.d.ts.map +1 -0
- package/dist/filtering/pipeline.js +76 -0
- package/dist/filtering/pipeline.js.map +1 -0
- package/dist/formatters/ai-context.d.ts +23 -0
- package/dist/formatters/ai-context.d.ts.map +1 -0
- package/dist/formatters/ai-context.js +238 -0
- package/dist/formatters/ai-context.js.map +1 -0
- package/dist/formatters/cli-terminal.d.ts +38 -0
- package/dist/formatters/cli-terminal.d.ts.map +1 -1
- package/dist/formatters/cli-terminal.js +365 -42
- package/dist/formatters/cli-terminal.js.map +1 -1
- package/dist/formatters/github-comment.d.ts +2 -2
- package/dist/formatters/github-comment.d.ts.map +1 -1
- package/dist/formatters/github-comment.js +77 -13
- package/dist/formatters/github-comment.js.map +1 -1
- package/dist/formatters/ide/claude-code.d.ts +17 -0
- package/dist/formatters/ide/claude-code.d.ts.map +1 -0
- package/dist/formatters/ide/claude-code.js +94 -0
- package/dist/formatters/ide/claude-code.js.map +1 -0
- package/dist/formatters/ide/cursor.d.ts +13 -0
- package/dist/formatters/ide/cursor.d.ts.map +1 -0
- package/dist/formatters/ide/cursor.js +125 -0
- package/dist/formatters/ide/cursor.js.map +1 -0
- package/dist/formatters/ide/index.d.ts +62 -0
- package/dist/formatters/ide/index.d.ts.map +1 -0
- package/dist/formatters/ide/index.js +184 -0
- package/dist/formatters/ide/index.js.map +1 -0
- package/dist/formatters/ide/windsurf.d.ts +13 -0
- package/dist/formatters/ide/windsurf.d.ts.map +1 -0
- package/dist/formatters/ide/windsurf.js +117 -0
- package/dist/formatters/ide/windsurf.js.map +1 -0
- package/dist/formatters/index.d.ts +3 -1
- package/dist/formatters/index.d.ts.map +1 -1
- package/dist/formatters/index.js +20 -1
- package/dist/formatters/index.js.map +1 -1
- package/dist/index.d.ts +11 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +423 -56
- package/dist/index.js.map +1 -1
- package/dist/layer1/comments.d.ts +4 -1
- package/dist/layer1/comments.d.ts.map +1 -1
- package/dist/layer1/comments.js +1 -1
- package/dist/layer1/comments.js.map +1 -1
- package/dist/layer1/config-audit.d.ts +4 -1
- package/dist/layer1/config-audit.d.ts.map +1 -1
- package/dist/layer1/config-audit.js +65 -14
- package/dist/layer1/config-audit.js.map +1 -1
- package/dist/layer1/config-mcp-audit.d.ts +23 -0
- package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
- package/dist/layer1/config-mcp-audit.js +239 -0
- package/dist/layer1/config-mcp-audit.js.map +1 -0
- package/dist/layer1/entropy.d.ts +4 -1
- package/dist/layer1/entropy.d.ts.map +1 -1
- package/dist/layer1/entropy.js +212 -1
- package/dist/layer1/entropy.js.map +1 -1
- package/dist/layer1/file-flags.d.ts +4 -1
- package/dist/layer1/file-flags.d.ts.map +1 -1
- package/dist/layer1/file-flags.js +12 -5
- package/dist/layer1/file-flags.js.map +1 -1
- package/dist/layer1/index.d.ts +1 -0
- package/dist/layer1/index.d.ts.map +1 -1
- package/dist/layer1/index.js +22 -19
- package/dist/layer1/index.js.map +1 -1
- package/dist/layer1/patterns.d.ts +4 -1
- package/dist/layer1/patterns.d.ts.map +1 -1
- package/dist/layer1/patterns.js +34 -4
- package/dist/layer1/patterns.js.map +1 -1
- package/dist/layer1/urls.d.ts +4 -1
- package/dist/layer1/urls.d.ts.map +1 -1
- package/dist/layer1/urls.js +162 -14
- package/dist/layer1/urls.js.map +1 -1
- package/dist/layer1/weak-crypto.d.ts +4 -1
- package/dist/layer1/weak-crypto.d.ts.map +1 -1
- package/dist/layer1/weak-crypto.js +144 -7
- package/dist/layer1/weak-crypto.js.map +1 -1
- package/dist/layer2/ai-agent-tools.d.ts +4 -1
- package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
- package/dist/layer2/ai-agent-tools.js +964 -2
- package/dist/layer2/ai-agent-tools.js.map +1 -1
- package/dist/layer2/ai-endpoint-protection.d.ts +2 -0
- package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
- package/dist/layer2/ai-endpoint-protection.js +18 -4
- package/dist/layer2/ai-endpoint-protection.js.map +1 -1
- package/dist/layer2/ai-execution-sinks.d.ts +4 -1
- package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
- package/dist/layer2/ai-execution-sinks.js +688 -29
- package/dist/layer2/ai-execution-sinks.js.map +1 -1
- package/dist/layer2/ai-fingerprinting.d.ts +4 -1
- package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
- package/dist/layer2/ai-fingerprinting.js +28 -32
- package/dist/layer2/ai-fingerprinting.js.map +1 -1
- package/dist/layer2/ai-mcp-security.d.ts +20 -0
- package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
- package/dist/layer2/ai-mcp-security.js +877 -0
- package/dist/layer2/ai-mcp-security.js.map +1 -0
- package/dist/layer2/ai-package-hallucination.d.ts +22 -0
- package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
- package/dist/layer2/ai-package-hallucination.js +828 -0
- package/dist/layer2/ai-package-hallucination.js.map +1 -0
- package/dist/layer2/ai-prompt-hygiene.d.ts +4 -1
- package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
- package/dist/layer2/ai-prompt-hygiene.js +817 -17
- package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
- package/dist/layer2/ai-rag-safety.d.ts +4 -1
- package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
- package/dist/layer2/ai-rag-safety.js +454 -3
- package/dist/layer2/ai-rag-safety.js.map +1 -1
- package/dist/layer2/ai-schema-validation.d.ts +4 -1
- package/dist/layer2/ai-schema-validation.d.ts.map +1 -1
- package/dist/layer2/ai-schema-validation.js +2 -2
- package/dist/layer2/ai-schema-validation.js.map +1 -1
- package/dist/layer2/auth-antipatterns.d.ts +2 -0
- package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
- package/dist/layer2/auth-antipatterns.js +209 -20
- package/dist/layer2/auth-antipatterns.js.map +1 -1
- package/dist/layer2/byok-patterns.d.ts +4 -1
- package/dist/layer2/byok-patterns.d.ts.map +1 -1
- package/dist/layer2/byok-patterns.js +5 -2
- package/dist/layer2/byok-patterns.js.map +1 -1
- package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
- package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/child-process.js +74 -0
- package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
- package/dist/layer2/dangerous-functions/dom-xss.d.ts +34 -0
- package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/dom-xss.js +230 -0
- package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
- package/dist/layer2/dangerous-functions/index.d.ts +16 -0
- package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/index.js +1152 -0
- package/dist/layer2/dangerous-functions/index.js.map +1 -0
- package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
- package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/json-parse.js +319 -0
- package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
- package/dist/layer2/dangerous-functions/math-random.d.ts +111 -0
- package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/math-random.js +684 -0
- package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
- package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
- package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/patterns.js +163 -0
- package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
- package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
- package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/request-validation.js +119 -0
- package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +24 -0
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/utils/control-flow.js +70 -0
- package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/utils/helpers.js +147 -0
- package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
- package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
- package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/utils/index.js +23 -0
- package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
- package/dist/layer2/dangerous-functions/utils/schema-validation.js +102 -0
- package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
- package/dist/layer2/data-exposure.d.ts +4 -1
- package/dist/layer2/data-exposure.d.ts.map +1 -1
- package/dist/layer2/data-exposure.js +14 -38
- package/dist/layer2/data-exposure.js.map +1 -1
- package/dist/layer2/framework-checks.d.ts +4 -1
- package/dist/layer2/framework-checks.d.ts.map +1 -1
- package/dist/layer2/framework-checks.js +5 -2
- package/dist/layer2/framework-checks.js.map +1 -1
- package/dist/layer2/index.d.ts +12 -1
- package/dist/layer2/index.d.ts.map +1 -1
- package/dist/layer2/index.js +110 -45
- package/dist/layer2/index.js.map +1 -1
- package/dist/layer2/logic-gates.d.ts +4 -1
- package/dist/layer2/logic-gates.d.ts.map +1 -1
- package/dist/layer2/logic-gates.js +58 -20
- package/dist/layer2/logic-gates.js.map +1 -1
- package/dist/layer2/model-supply-chain.d.ts +23 -0
- package/dist/layer2/model-supply-chain.d.ts.map +1 -0
- package/dist/layer2/model-supply-chain.js +444 -0
- package/dist/layer2/model-supply-chain.js.map +1 -0
- package/dist/layer2/risky-imports.d.ts +4 -1
- package/dist/layer2/risky-imports.d.ts.map +1 -1
- package/dist/layer2/risky-imports.js +6 -2
- package/dist/layer2/risky-imports.js.map +1 -1
- package/dist/layer2/variables.d.ts +4 -1
- package/dist/layer2/variables.d.ts.map +1 -1
- package/dist/layer2/variables.js +6 -2
- package/dist/layer2/variables.js.map +1 -1
- package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
- package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
- package/dist/layer3/anthropic/auto-dismiss.js +199 -0
- package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
- package/dist/layer3/anthropic/clients.d.ts +44 -0
- package/dist/layer3/anthropic/clients.d.ts.map +1 -0
- package/dist/layer3/anthropic/clients.js +81 -0
- package/dist/layer3/anthropic/clients.js.map +1 -0
- package/dist/layer3/anthropic/index.d.ts +41 -0
- package/dist/layer3/anthropic/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/index.js +141 -0
- package/dist/layer3/anthropic/index.js.map +1 -0
- package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/index.js +14 -0
- package/dist/layer3/anthropic/prompts/index.js.map +1 -0
- package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
- package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
- package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
- package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
- package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/validation.js +421 -0
- package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
- package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
- package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
- package/dist/layer3/anthropic/providers/anthropic.js +266 -0
- package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
- package/dist/layer3/anthropic/providers/index.d.ts +8 -0
- package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/providers/index.js +15 -0
- package/dist/layer3/anthropic/providers/index.js.map +1 -0
- package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
- package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
- package/dist/layer3/anthropic/providers/openai.js +340 -0
- package/dist/layer3/anthropic/providers/openai.js.map +1 -0
- package/dist/layer3/anthropic/request-builder.d.ts +20 -0
- package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
- package/dist/layer3/anthropic/request-builder.js +134 -0
- package/dist/layer3/anthropic/request-builder.js.map +1 -0
- package/dist/layer3/anthropic/types.d.ts +88 -0
- package/dist/layer3/anthropic/types.d.ts.map +1 -0
- package/dist/layer3/anthropic/types.js +38 -0
- package/dist/layer3/anthropic/types.js.map +1 -0
- package/dist/layer3/anthropic/utils/index.d.ts +9 -0
- package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/index.js +24 -0
- package/dist/layer3/anthropic/utils/index.js.map +1 -0
- package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
- package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
- package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
- package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
- package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/response-parser.js +285 -0
- package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
- package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
- package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/retry.js +62 -0
- package/dist/layer3/anthropic/utils/retry.js.map +1 -0
- package/dist/layer3/index.d.ts +1 -0
- package/dist/layer3/index.d.ts.map +1 -1
- package/dist/layer3/index.js +16 -6
- package/dist/layer3/index.js.map +1 -1
- package/dist/layer3/osv-check.d.ts +75 -0
- package/dist/layer3/osv-check.d.ts.map +1 -0
- package/dist/layer3/osv-check.js +308 -0
- package/dist/layer3/osv-check.js.map +1 -0
- package/dist/modes/incremental.js +1 -1
- package/dist/rules/framework-fixes.d.ts +48 -0
- package/dist/rules/framework-fixes.d.ts.map +1 -0
- package/dist/rules/framework-fixes.js +439 -0
- package/dist/rules/framework-fixes.js.map +1 -0
- package/dist/rules/index.d.ts +8 -0
- package/dist/rules/index.d.ts.map +1 -0
- package/dist/rules/index.js +18 -0
- package/dist/rules/index.js.map +1 -0
- package/dist/rules/metadata.d.ts +43 -0
- package/dist/rules/metadata.d.ts.map +1 -0
- package/dist/rules/metadata.js +734 -0
- package/dist/rules/metadata.js.map +1 -0
- package/dist/suppression/config-loader.d.ts +74 -0
- package/dist/suppression/config-loader.d.ts.map +1 -0
- package/dist/suppression/config-loader.js +424 -0
- package/dist/suppression/config-loader.js.map +1 -0
- package/dist/suppression/hash.d.ts +48 -0
- package/dist/suppression/hash.d.ts.map +1 -0
- package/dist/suppression/hash.js +88 -0
- package/dist/suppression/hash.js.map +1 -0
- package/dist/suppression/index.d.ts +11 -0
- package/dist/suppression/index.d.ts.map +1 -0
- package/dist/suppression/index.js +39 -0
- package/dist/suppression/index.js.map +1 -0
- package/dist/suppression/inline-parser.d.ts +39 -0
- package/dist/suppression/inline-parser.d.ts.map +1 -0
- package/dist/suppression/inline-parser.js +218 -0
- package/dist/suppression/inline-parser.js.map +1 -0
- package/dist/suppression/manager.d.ts +94 -0
- package/dist/suppression/manager.d.ts.map +1 -0
- package/dist/suppression/manager.js +292 -0
- package/dist/suppression/manager.js.map +1 -0
- package/dist/suppression/types.d.ts +151 -0
- package/dist/suppression/types.d.ts.map +1 -0
- package/dist/suppression/types.js +28 -0
- package/dist/suppression/types.js.map +1 -0
- package/dist/tiers.d.ts +3 -3
- package/dist/tiers.d.ts.map +1 -1
- package/dist/tiers.js +34 -7
- package/dist/tiers.js.map +1 -1
- package/dist/types.d.ts +140 -9
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js +34 -0
- package/dist/types.js.map +1 -1
- package/dist/utils/code-analysis.d.ts +39 -0
- package/dist/utils/code-analysis.d.ts.map +1 -0
- package/dist/utils/code-analysis.js +159 -0
- package/dist/utils/code-analysis.js.map +1 -0
- package/dist/utils/comment-analyzer.d.ts +38 -0
- package/dist/utils/comment-analyzer.d.ts.map +1 -0
- package/dist/utils/comment-analyzer.js +218 -0
- package/dist/utils/comment-analyzer.js.map +1 -0
- package/dist/utils/context-helpers.d.ts +112 -1
- package/dist/utils/context-helpers.d.ts.map +1 -1
- package/dist/utils/context-helpers.js +364 -11
- package/dist/utils/context-helpers.js.map +1 -1
- package/dist/utils/environment-context.d.ts +76 -0
- package/dist/utils/environment-context.d.ts.map +1 -0
- package/dist/utils/environment-context.js +271 -0
- package/dist/utils/environment-context.js.map +1 -0
- package/dist/utils/intent-detector.d.ts +66 -0
- package/dist/utils/intent-detector.d.ts.map +1 -0
- package/dist/utils/intent-detector.js +282 -0
- package/dist/utils/intent-detector.js.map +1 -0
- package/dist/utils/parsed-file.d.ts +51 -0
- package/dist/utils/parsed-file.d.ts.map +1 -0
- package/dist/utils/parsed-file.js +95 -0
- package/dist/utils/parsed-file.js.map +1 -0
- package/dist/utils/route-hierarchy.d.ts +50 -0
- package/dist/utils/route-hierarchy.d.ts.map +1 -0
- package/dist/utils/route-hierarchy.js +226 -0
- package/dist/utils/route-hierarchy.js.map +1 -0
- package/dist/utils/schema-semantics.d.ts +45 -0
- package/dist/utils/schema-semantics.d.ts.map +1 -0
- package/dist/utils/schema-semantics.js +193 -0
- package/dist/utils/schema-semantics.js.map +1 -0
- package/package.json +4 -2
- package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
- package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
- package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
- package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
- package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
- package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
- package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
- package/src/__tests__/benchmark/fixtures/layer2/index.ts +30 -0
- package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
- package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
- package/src/__tests__/benchmark/fixtures/layer2/phase5-excessive-agency.ts +580 -0
- package/src/__tests__/benchmark/fixtures/layer2/sprint6-ai-enhancements.ts +515 -0
- package/src/__tests__/benchmark/run-depth-validation.ts +9 -9
- package/src/__tests__/category-filter.test.ts +478 -0
- package/src/__tests__/regression/known-false-positives.test.ts +490 -0
- package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +762 -0
- package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +0 -9
- package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
- package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
- package/src/__tests__/validation/run-validation.ts +7 -7
- package/src/ai-context/__tests__/manager.test.ts +193 -0
- package/src/ai-context/index.ts +15 -0
- package/src/ai-context/manager.ts +145 -0
- package/src/baseline/__tests__/diff.test.ts +261 -0
- package/src/baseline/__tests__/manager.test.ts +225 -0
- package/src/baseline/diff.ts +135 -0
- package/src/baseline/index.ts +29 -0
- package/src/baseline/manager.ts +230 -0
- package/src/baseline/types.ts +97 -0
- package/src/category-filter.ts +400 -0
- package/src/filtering/__tests__/pipeline.test.ts +134 -0
- package/src/filtering/context-adjustments.ts +111 -0
- package/src/filtering/index.ts +10 -0
- package/src/filtering/pipeline.ts +130 -0
- package/src/formatters/__tests__/ai-context.test.ts +254 -0
- package/src/formatters/ai-context.ts +302 -0
- package/src/formatters/cli-terminal.ts +444 -41
- package/src/formatters/github-comment.ts +82 -14
- package/src/formatters/ide/__tests__/ide.test.ts +319 -0
- package/src/formatters/ide/claude-code.ts +110 -0
- package/src/formatters/ide/cursor.ts +147 -0
- package/src/formatters/ide/index.ts +216 -0
- package/src/formatters/ide/windsurf.ts +135 -0
- package/src/formatters/index.ts +28 -0
- package/src/index.ts +506 -45
- package/src/layer1/comments.ts +3 -1
- package/src/layer1/config-audit.ts +74 -14
- package/src/layer1/config-mcp-audit.ts +278 -0
- package/src/layer1/entropy.ts +234 -1
- package/src/layer1/file-flags.ts +17 -6
- package/src/layer1/index.ts +29 -23
- package/src/layer1/patterns.ts +42 -4
- package/src/layer1/urls.ts +188 -14
- package/src/layer1/weak-crypto.ts +168 -16
- package/src/layer2/ai-agent-tools.ts +1043 -2
- package/src/layer2/ai-endpoint-protection.ts +19 -4
- package/src/layer2/ai-execution-sinks.ts +755 -29
- package/src/layer2/ai-fingerprinting.ts +33 -33
- package/src/layer2/ai-mcp-security.ts +933 -0
- package/src/layer2/ai-package-hallucination.ts +940 -0
- package/src/layer2/ai-prompt-hygiene.ts +898 -17
- package/src/layer2/ai-rag-safety.ts +467 -5
- package/src/layer2/ai-schema-validation.ts +4 -2
- package/src/layer2/auth-antipatterns.ts +235 -20
- package/src/layer2/byok-patterns.ts +9 -3
- package/src/layer2/dangerous-functions/child-process.ts +98 -0
- package/src/layer2/dangerous-functions/dom-xss.ts +292 -0
- package/src/layer2/dangerous-functions/index.ts +1533 -0
- package/src/layer2/dangerous-functions/json-parse.ts +385 -0
- package/src/layer2/dangerous-functions/math-random.ts +789 -0
- package/src/layer2/dangerous-functions/patterns.ts +176 -0
- package/src/layer2/dangerous-functions/request-validation.ts +145 -0
- package/src/layer2/dangerous-functions/utils/control-flow.ts +35 -0
- package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
- package/src/layer2/dangerous-functions/utils/index.ts +25 -0
- package/src/layer2/dangerous-functions/utils/schema-validation.ts +106 -0
- package/src/layer2/data-exposure.ts +18 -39
- package/src/layer2/framework-checks.ts +9 -2
- package/src/layer2/index.ts +124 -43
- package/src/layer2/logic-gates.ts +64 -22
- package/src/layer2/model-supply-chain.ts +531 -0
- package/src/layer2/risky-imports.ts +9 -2
- package/src/layer2/variables.ts +9 -2
- package/src/layer3/__tests__/osv-check.test.ts +384 -0
- package/src/layer3/anthropic/auto-dismiss.ts +223 -0
- package/src/layer3/anthropic/clients.ts +84 -0
- package/src/layer3/anthropic/index.ts +170 -0
- package/src/layer3/anthropic/prompts/index.ts +14 -0
- package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
- package/src/layer3/anthropic/prompts/validation.ts +419 -0
- package/src/layer3/anthropic/providers/anthropic.ts +310 -0
- package/src/layer3/anthropic/providers/index.ts +8 -0
- package/src/layer3/anthropic/providers/openai.ts +384 -0
- package/src/layer3/anthropic/request-builder.ts +150 -0
- package/src/layer3/anthropic/types.ts +148 -0
- package/src/layer3/anthropic/utils/index.ts +26 -0
- package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
- package/src/layer3/anthropic/utils/response-parser.ts +322 -0
- package/src/layer3/anthropic/utils/retry.ts +75 -0
- package/src/layer3/index.ts +18 -5
- package/src/layer3/osv-check.ts +420 -0
- package/src/modes/incremental.ts +1 -1
- package/src/rules/__tests__/framework-fixes.test.ts +689 -0
- package/src/rules/__tests__/metadata.test.ts +218 -0
- package/src/rules/framework-fixes.ts +470 -0
- package/src/rules/index.ts +21 -0
- package/src/rules/metadata.ts +831 -0
- package/src/suppression/__tests__/config-loader.test.ts +382 -0
- package/src/suppression/__tests__/hash.test.ts +166 -0
- package/src/suppression/__tests__/inline-parser.test.ts +212 -0
- package/src/suppression/__tests__/manager.test.ts +415 -0
- package/src/suppression/config-loader.ts +462 -0
- package/src/suppression/hash.ts +95 -0
- package/src/suppression/index.ts +51 -0
- package/src/suppression/inline-parser.ts +273 -0
- package/src/suppression/manager.ts +379 -0
- package/src/suppression/types.ts +174 -0
- package/src/tiers.ts +45 -9
- package/src/types.ts +212 -8
- package/src/utils/__tests__/code-analysis.test.ts +165 -0
- package/src/utils/__tests__/parsed-file.test.ts +124 -0
- package/src/utils/code-analysis.ts +179 -0
- package/src/utils/comment-analyzer.ts +249 -0
- package/src/utils/context-helpers.ts +421 -11
- package/src/utils/environment-context.ts +304 -0
- package/src/utils/intent-detector.ts +318 -0
- package/src/utils/parsed-file.ts +103 -0
- package/src/utils/route-hierarchy.ts +250 -0
- package/src/utils/schema-semantics.ts +233 -0
- package/dist/layer2/dangerous-functions.d.ts +0 -7
- package/dist/layer2/dangerous-functions.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions.js +0 -1701
- package/dist/layer2/dangerous-functions.js.map +0 -1
- package/dist/layer3/anthropic.d.ts +0 -87
- package/dist/layer3/anthropic.d.ts.map +0 -1
- package/dist/layer3/anthropic.js +0 -1948
- package/dist/layer3/anthropic.js.map +0 -1
- package/dist/layer3/openai.d.ts +0 -25
- package/dist/layer3/openai.d.ts.map +0 -1
- package/dist/layer3/openai.js +0 -238
- package/dist/layer3/openai.js.map +0 -1
- package/src/layer2/dangerous-functions.ts +0 -1940
- package/src/layer3/anthropic.ts +0 -2257
|
@@ -0,0 +1,145 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* AI Context Manager
|
|
3
|
+
* Handles loading, saving, and clearing AI context files
|
|
4
|
+
*/
|
|
5
|
+
|
|
6
|
+
import { existsSync, readFileSync, writeFileSync, mkdirSync, unlinkSync } from 'fs'
|
|
7
|
+
import { join } from 'path'
|
|
8
|
+
|
|
9
|
+
/** AI context file name */
|
|
10
|
+
export const AI_CONTEXT_FILE = 'ai-context.md'
|
|
11
|
+
|
|
12
|
+
/** Directory for oculum files */
|
|
13
|
+
export const OCULUM_DIR = '.oculum'
|
|
14
|
+
|
|
15
|
+
/** Full path to AI context file (relative to project root) */
|
|
16
|
+
export const AI_CONTEXT_PATH = `${OCULUM_DIR}/${AI_CONTEXT_FILE}`
|
|
17
|
+
|
|
18
|
+
export interface AIContextManagerOptions {
|
|
19
|
+
/** Project root path */
|
|
20
|
+
projectPath: string
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
export interface SaveContextResult {
|
|
24
|
+
/** Whether the save was successful */
|
|
25
|
+
success: boolean
|
|
26
|
+
/** Path where context was saved */
|
|
27
|
+
path: string
|
|
28
|
+
/** Error message (if failed) */
|
|
29
|
+
error?: string
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
export interface LoadContextResult {
|
|
33
|
+
/** Whether a context file was found */
|
|
34
|
+
found: boolean
|
|
35
|
+
/** The context content (if found) */
|
|
36
|
+
content?: string
|
|
37
|
+
/** Error message (if failed to load) */
|
|
38
|
+
error?: string
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
export interface ClearContextResult {
|
|
42
|
+
/** Whether the clear was successful */
|
|
43
|
+
success: boolean
|
|
44
|
+
/** Whether a context file existed before clearing */
|
|
45
|
+
existed: boolean
|
|
46
|
+
/** Error message (if failed) */
|
|
47
|
+
error?: string
|
|
48
|
+
}
|
|
49
|
+
|
|
50
|
+
/**
|
|
51
|
+
* Manages AI context files for IDE consumption
|
|
52
|
+
*/
|
|
53
|
+
export class AIContextManager {
|
|
54
|
+
private projectPath: string
|
|
55
|
+
private contextPath: string
|
|
56
|
+
|
|
57
|
+
constructor(options: AIContextManagerOptions | string) {
|
|
58
|
+
// Support both old string arg and new options object
|
|
59
|
+
if (typeof options === 'string') {
|
|
60
|
+
this.projectPath = options
|
|
61
|
+
} else {
|
|
62
|
+
this.projectPath = options.projectPath
|
|
63
|
+
}
|
|
64
|
+
this.contextPath = join(this.projectPath, OCULUM_DIR, AI_CONTEXT_FILE)
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
/**
|
|
68
|
+
* Get the full path to the AI context file
|
|
69
|
+
*/
|
|
70
|
+
getContextPath(): string {
|
|
71
|
+
return this.contextPath
|
|
72
|
+
}
|
|
73
|
+
|
|
74
|
+
/**
|
|
75
|
+
* Save AI context to .oculum/ai-context.md
|
|
76
|
+
*/
|
|
77
|
+
saveContext(content: string): SaveContextResult {
|
|
78
|
+
try {
|
|
79
|
+
// Ensure .oculum directory exists
|
|
80
|
+
const oculumDir = join(this.projectPath, OCULUM_DIR)
|
|
81
|
+
if (!existsSync(oculumDir)) {
|
|
82
|
+
mkdirSync(oculumDir, { recursive: true })
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
// Write content to file
|
|
86
|
+
writeFileSync(this.contextPath, content)
|
|
87
|
+
|
|
88
|
+
return { success: true, path: this.contextPath }
|
|
89
|
+
} catch (err) {
|
|
90
|
+
return {
|
|
91
|
+
success: false,
|
|
92
|
+
path: this.contextPath,
|
|
93
|
+
error: `Failed to save AI context: ${err instanceof Error ? err.message : 'Unknown error'}`,
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
|
|
98
|
+
/**
|
|
99
|
+
* Load AI context from .oculum/ai-context.md
|
|
100
|
+
*/
|
|
101
|
+
loadContext(): LoadContextResult {
|
|
102
|
+
if (!existsSync(this.contextPath)) {
|
|
103
|
+
return { found: false }
|
|
104
|
+
}
|
|
105
|
+
|
|
106
|
+
try {
|
|
107
|
+
const content = readFileSync(this.contextPath, 'utf-8')
|
|
108
|
+
return { found: true, content }
|
|
109
|
+
} catch (err) {
|
|
110
|
+
return {
|
|
111
|
+
found: false,
|
|
112
|
+
error: `Failed to read AI context: ${err instanceof Error ? err.message : 'Unknown error'}`,
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
/**
|
|
118
|
+
* Clear (delete) the AI context file
|
|
119
|
+
*/
|
|
120
|
+
clearContext(): ClearContextResult {
|
|
121
|
+
const existed = existsSync(this.contextPath)
|
|
122
|
+
|
|
123
|
+
if (!existed) {
|
|
124
|
+
return { success: true, existed: false }
|
|
125
|
+
}
|
|
126
|
+
|
|
127
|
+
try {
|
|
128
|
+
unlinkSync(this.contextPath)
|
|
129
|
+
return { success: true, existed: true }
|
|
130
|
+
} catch (err) {
|
|
131
|
+
return {
|
|
132
|
+
success: false,
|
|
133
|
+
existed: true,
|
|
134
|
+
error: `Failed to clear AI context: ${err instanceof Error ? err.message : 'Unknown error'}`,
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
|
|
139
|
+
/**
|
|
140
|
+
* Check if an AI context file exists
|
|
141
|
+
*/
|
|
142
|
+
hasContext(): boolean {
|
|
143
|
+
return existsSync(this.contextPath)
|
|
144
|
+
}
|
|
145
|
+
}
|
|
@@ -0,0 +1,261 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Baseline Diff Computation Tests
|
|
3
|
+
*/
|
|
4
|
+
|
|
5
|
+
import { computeDiff, hasNewBlockingIssues, formatDiffSummary } from '../diff'
|
|
6
|
+
import type { Vulnerability } from '../../types'
|
|
7
|
+
import type { BaselineData } from '../types'
|
|
8
|
+
|
|
9
|
+
describe('Baseline Diff Computation', () => {
|
|
10
|
+
// Helper to create a test vulnerability
|
|
11
|
+
const createVuln = (
|
|
12
|
+
filePath: string,
|
|
13
|
+
lineNumber: number,
|
|
14
|
+
category: string,
|
|
15
|
+
severity: 'critical' | 'high' | 'medium' | 'low' | 'info' = 'medium',
|
|
16
|
+
title: string = 'Test finding'
|
|
17
|
+
): Vulnerability => ({
|
|
18
|
+
filePath,
|
|
19
|
+
lineNumber,
|
|
20
|
+
category: category as any,
|
|
21
|
+
severity,
|
|
22
|
+
title,
|
|
23
|
+
description: 'Test description',
|
|
24
|
+
confidence: 'high',
|
|
25
|
+
layer: 1,
|
|
26
|
+
lineContent: `Line ${lineNumber} content`,
|
|
27
|
+
})
|
|
28
|
+
|
|
29
|
+
// Helper to create a baseline
|
|
30
|
+
const createBaseline = (findings: Array<{
|
|
31
|
+
hash: string
|
|
32
|
+
filePath: string
|
|
33
|
+
lineNumber: number
|
|
34
|
+
category: string
|
|
35
|
+
severity: string
|
|
36
|
+
title: string
|
|
37
|
+
}>): BaselineData => ({
|
|
38
|
+
version: 1,
|
|
39
|
+
createdAt: '2024-01-15T10:00:00.000Z',
|
|
40
|
+
findings: findings as any,
|
|
41
|
+
stats: {
|
|
42
|
+
total: findings.length,
|
|
43
|
+
critical: findings.filter(f => f.severity === 'critical').length,
|
|
44
|
+
high: findings.filter(f => f.severity === 'high').length,
|
|
45
|
+
medium: findings.filter(f => f.severity === 'medium').length,
|
|
46
|
+
low: findings.filter(f => f.severity === 'low').length,
|
|
47
|
+
info: findings.filter(f => f.severity === 'info').length,
|
|
48
|
+
},
|
|
49
|
+
})
|
|
50
|
+
|
|
51
|
+
describe('computeDiff', () => {
|
|
52
|
+
it('should identify all findings as new when baseline is empty', () => {
|
|
53
|
+
const current = [
|
|
54
|
+
createVuln('src/a.ts', 10, 'hardcoded_secret', 'critical'),
|
|
55
|
+
createVuln('src/b.ts', 20, 'sql_injection', 'high'),
|
|
56
|
+
]
|
|
57
|
+
const baseline = createBaseline([])
|
|
58
|
+
|
|
59
|
+
const diff = computeDiff(current, baseline)
|
|
60
|
+
|
|
61
|
+
expect(diff.new).toHaveLength(2)
|
|
62
|
+
expect(diff.fixed).toHaveLength(0)
|
|
63
|
+
expect(diff.existing).toHaveLength(0)
|
|
64
|
+
expect(diff.stats.newCount).toBe(2)
|
|
65
|
+
expect(diff.stats.fixedCount).toBe(0)
|
|
66
|
+
expect(diff.stats.existingCount).toBe(0)
|
|
67
|
+
})
|
|
68
|
+
|
|
69
|
+
it('should identify all findings as existing when current matches baseline', () => {
|
|
70
|
+
const current = [
|
|
71
|
+
createVuln('src/a.ts', 10, 'hardcoded_secret', 'critical', 'API key'),
|
|
72
|
+
]
|
|
73
|
+
|
|
74
|
+
// Need to compute the hash that would match
|
|
75
|
+
const { computeFindingHash } = require('../../suppression/hash')
|
|
76
|
+
const hash = computeFindingHash(current[0])
|
|
77
|
+
|
|
78
|
+
const baseline = createBaseline([
|
|
79
|
+
{
|
|
80
|
+
hash,
|
|
81
|
+
filePath: 'src/a.ts',
|
|
82
|
+
lineNumber: 10,
|
|
83
|
+
category: 'hardcoded_secret',
|
|
84
|
+
severity: 'critical',
|
|
85
|
+
title: 'API key',
|
|
86
|
+
},
|
|
87
|
+
])
|
|
88
|
+
|
|
89
|
+
const diff = computeDiff(current, baseline)
|
|
90
|
+
|
|
91
|
+
expect(diff.new).toHaveLength(0)
|
|
92
|
+
expect(diff.fixed).toHaveLength(0)
|
|
93
|
+
expect(diff.existing).toHaveLength(1)
|
|
94
|
+
expect(diff.stats.existingCount).toBe(1)
|
|
95
|
+
})
|
|
96
|
+
|
|
97
|
+
it('should identify fixed findings when they exist in baseline but not current', () => {
|
|
98
|
+
const current: Vulnerability[] = []
|
|
99
|
+
const baseline = createBaseline([
|
|
100
|
+
{
|
|
101
|
+
hash: 'fixedhash1234567',
|
|
102
|
+
filePath: 'src/fixed.ts',
|
|
103
|
+
lineNumber: 5,
|
|
104
|
+
category: 'hardcoded_secret',
|
|
105
|
+
severity: 'high',
|
|
106
|
+
title: 'Fixed finding',
|
|
107
|
+
},
|
|
108
|
+
])
|
|
109
|
+
|
|
110
|
+
const diff = computeDiff(current, baseline)
|
|
111
|
+
|
|
112
|
+
expect(diff.new).toHaveLength(0)
|
|
113
|
+
expect(diff.fixed).toHaveLength(1)
|
|
114
|
+
expect(diff.fixed[0].title).toBe('Fixed finding')
|
|
115
|
+
expect(diff.existing).toHaveLength(0)
|
|
116
|
+
expect(diff.stats.fixedCount).toBe(1)
|
|
117
|
+
})
|
|
118
|
+
|
|
119
|
+
it('should handle mixed scenario with new, fixed, and existing findings', () => {
|
|
120
|
+
// Create a finding that will be in both current and baseline
|
|
121
|
+
const existingVuln = createVuln('src/existing.ts', 10, 'xss', 'medium', 'Existing XSS')
|
|
122
|
+
const { computeFindingHash } = require('../../suppression/hash')
|
|
123
|
+
const existingHash = computeFindingHash(existingVuln)
|
|
124
|
+
|
|
125
|
+
// Current: one existing + one new
|
|
126
|
+
const current = [
|
|
127
|
+
existingVuln,
|
|
128
|
+
createVuln('src/new.ts', 20, 'sql_injection', 'high', 'New SQL injection'),
|
|
129
|
+
]
|
|
130
|
+
|
|
131
|
+
// Baseline: one existing + one fixed
|
|
132
|
+
const baseline = createBaseline([
|
|
133
|
+
{
|
|
134
|
+
hash: existingHash,
|
|
135
|
+
filePath: 'src/existing.ts',
|
|
136
|
+
lineNumber: 10,
|
|
137
|
+
category: 'xss',
|
|
138
|
+
severity: 'medium',
|
|
139
|
+
title: 'Existing XSS',
|
|
140
|
+
},
|
|
141
|
+
{
|
|
142
|
+
hash: 'fixedhash9999999',
|
|
143
|
+
filePath: 'src/old.ts',
|
|
144
|
+
lineNumber: 30,
|
|
145
|
+
category: 'hardcoded_secret',
|
|
146
|
+
severity: 'critical',
|
|
147
|
+
title: 'Fixed secret',
|
|
148
|
+
},
|
|
149
|
+
])
|
|
150
|
+
|
|
151
|
+
const diff = computeDiff(current, baseline)
|
|
152
|
+
|
|
153
|
+
expect(diff.new).toHaveLength(1)
|
|
154
|
+
expect(diff.new[0].title).toBe('New SQL injection')
|
|
155
|
+
expect(diff.fixed).toHaveLength(1)
|
|
156
|
+
expect(diff.fixed[0].title).toBe('Fixed secret')
|
|
157
|
+
expect(diff.existing).toHaveLength(1)
|
|
158
|
+
expect(diff.existing[0].title).toBe('Existing XSS')
|
|
159
|
+
|
|
160
|
+
expect(diff.stats.newCount).toBe(1)
|
|
161
|
+
expect(diff.stats.fixedCount).toBe(1)
|
|
162
|
+
expect(diff.stats.existingCount).toBe(1)
|
|
163
|
+
})
|
|
164
|
+
|
|
165
|
+
it('should compute severity counts correctly', () => {
|
|
166
|
+
const current = [
|
|
167
|
+
createVuln('src/a.ts', 1, 'sql_injection', 'critical', 'Crit 1'),
|
|
168
|
+
createVuln('src/b.ts', 2, 'xss', 'high', 'High 1'),
|
|
169
|
+
createVuln('src/c.ts', 3, 'xss', 'high', 'High 2'),
|
|
170
|
+
createVuln('src/d.ts', 4, 'data_exposure', 'medium', 'Med 1'),
|
|
171
|
+
]
|
|
172
|
+
const baseline = createBaseline([])
|
|
173
|
+
|
|
174
|
+
const diff = computeDiff(current, baseline)
|
|
175
|
+
|
|
176
|
+
expect(diff.stats.newBySeverity.critical).toBe(1)
|
|
177
|
+
expect(diff.stats.newBySeverity.high).toBe(2)
|
|
178
|
+
expect(diff.stats.newBySeverity.medium).toBe(1)
|
|
179
|
+
expect(diff.stats.newBySeverity.low).toBe(0)
|
|
180
|
+
expect(diff.stats.newBySeverity.info).toBe(0)
|
|
181
|
+
})
|
|
182
|
+
})
|
|
183
|
+
|
|
184
|
+
describe('hasNewBlockingIssues', () => {
|
|
185
|
+
it('should return true when there are new critical findings', () => {
|
|
186
|
+
const diff = computeDiff(
|
|
187
|
+
[createVuln('src/a.ts', 1, 'hardcoded_secret', 'critical')],
|
|
188
|
+
createBaseline([])
|
|
189
|
+
)
|
|
190
|
+
|
|
191
|
+
expect(hasNewBlockingIssues(diff)).toBe(true)
|
|
192
|
+
})
|
|
193
|
+
|
|
194
|
+
it('should return true when there are new high findings', () => {
|
|
195
|
+
const diff = computeDiff(
|
|
196
|
+
[createVuln('src/a.ts', 1, 'sql_injection', 'high')],
|
|
197
|
+
createBaseline([])
|
|
198
|
+
)
|
|
199
|
+
|
|
200
|
+
expect(hasNewBlockingIssues(diff)).toBe(true)
|
|
201
|
+
})
|
|
202
|
+
|
|
203
|
+
it('should return false when there are only new medium/low/info findings', () => {
|
|
204
|
+
const diff = computeDiff(
|
|
205
|
+
[
|
|
206
|
+
createVuln('src/a.ts', 1, 'xss', 'medium'),
|
|
207
|
+
createVuln('src/b.ts', 2, 'data_exposure', 'low'),
|
|
208
|
+
createVuln('src/c.ts', 3, 'ai_pattern', 'info'),
|
|
209
|
+
],
|
|
210
|
+
createBaseline([])
|
|
211
|
+
)
|
|
212
|
+
|
|
213
|
+
expect(hasNewBlockingIssues(diff)).toBe(false)
|
|
214
|
+
})
|
|
215
|
+
|
|
216
|
+
it('should return false when there are no new findings', () => {
|
|
217
|
+
const diff = computeDiff([], createBaseline([]))
|
|
218
|
+
|
|
219
|
+
expect(hasNewBlockingIssues(diff)).toBe(false)
|
|
220
|
+
})
|
|
221
|
+
})
|
|
222
|
+
|
|
223
|
+
describe('formatDiffSummary', () => {
|
|
224
|
+
it('should format a summary with all categories', () => {
|
|
225
|
+
const diff = computeDiff(
|
|
226
|
+
[
|
|
227
|
+
createVuln('src/a.ts', 1, 'hardcoded_secret', 'critical'),
|
|
228
|
+
createVuln('src/b.ts', 2, 'xss', 'high'),
|
|
229
|
+
],
|
|
230
|
+
createBaseline([
|
|
231
|
+
{
|
|
232
|
+
hash: 'fixedhash1234567',
|
|
233
|
+
filePath: 'src/fixed.ts',
|
|
234
|
+
lineNumber: 5,
|
|
235
|
+
category: 'sql_injection',
|
|
236
|
+
severity: 'high',
|
|
237
|
+
title: 'Fixed finding',
|
|
238
|
+
},
|
|
239
|
+
])
|
|
240
|
+
)
|
|
241
|
+
|
|
242
|
+
const summary = formatDiffSummary(diff)
|
|
243
|
+
|
|
244
|
+
expect(summary).toContain('2 new')
|
|
245
|
+
expect(summary).toContain('1 fixed')
|
|
246
|
+
})
|
|
247
|
+
|
|
248
|
+
it('should omit zero counts', () => {
|
|
249
|
+
const diff = computeDiff(
|
|
250
|
+
[createVuln('src/a.ts', 1, 'hardcoded_secret', 'critical')],
|
|
251
|
+
createBaseline([])
|
|
252
|
+
)
|
|
253
|
+
|
|
254
|
+
const summary = formatDiffSummary(diff)
|
|
255
|
+
|
|
256
|
+
expect(summary).toContain('1 new')
|
|
257
|
+
expect(summary).not.toContain('fixed')
|
|
258
|
+
expect(summary).not.toContain('existing')
|
|
259
|
+
})
|
|
260
|
+
})
|
|
261
|
+
})
|
|
@@ -0,0 +1,225 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Baseline Manager Tests
|
|
3
|
+
*/
|
|
4
|
+
|
|
5
|
+
import { existsSync, mkdirSync, readFileSync, writeFileSync, rmSync } from 'fs'
|
|
6
|
+
import { join } from 'path'
|
|
7
|
+
import { tmpdir } from 'os'
|
|
8
|
+
import { BaselineManager } from '../manager'
|
|
9
|
+
import type { ScanResult } from '../../types'
|
|
10
|
+
import type { BaselineData } from '../types'
|
|
11
|
+
|
|
12
|
+
describe('BaselineManager', () => {
|
|
13
|
+
let testDir: string
|
|
14
|
+
let manager: BaselineManager
|
|
15
|
+
|
|
16
|
+
beforeEach(() => {
|
|
17
|
+
// Create a unique temp directory for each test
|
|
18
|
+
testDir = join(tmpdir(), `baseline-test-${Date.now()}-${Math.random().toString(36).slice(2)}`)
|
|
19
|
+
mkdirSync(testDir, { recursive: true })
|
|
20
|
+
manager = new BaselineManager({ projectPath: testDir })
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
afterEach(() => {
|
|
24
|
+
// Clean up test directory
|
|
25
|
+
try {
|
|
26
|
+
rmSync(testDir, { recursive: true, force: true })
|
|
27
|
+
} catch {
|
|
28
|
+
// Ignore cleanup errors
|
|
29
|
+
}
|
|
30
|
+
})
|
|
31
|
+
|
|
32
|
+
describe('loadBaseline', () => {
|
|
33
|
+
it('should return found: false when no baseline exists', () => {
|
|
34
|
+
const result = manager.loadBaseline()
|
|
35
|
+
expect(result.found).toBe(false)
|
|
36
|
+
expect(result.baseline).toBeUndefined()
|
|
37
|
+
expect(result.error).toBeUndefined()
|
|
38
|
+
})
|
|
39
|
+
|
|
40
|
+
it('should load a valid baseline', () => {
|
|
41
|
+
// Create a valid baseline file
|
|
42
|
+
const baseline: BaselineData = {
|
|
43
|
+
version: 1,
|
|
44
|
+
createdAt: '2024-01-15T10:00:00.000Z',
|
|
45
|
+
commit: 'abc1234',
|
|
46
|
+
branch: 'main',
|
|
47
|
+
findings: [
|
|
48
|
+
{
|
|
49
|
+
hash: 'abcd1234abcd1234',
|
|
50
|
+
filePath: 'src/test.ts',
|
|
51
|
+
lineNumber: 10,
|
|
52
|
+
category: 'hardcoded_secret',
|
|
53
|
+
severity: 'critical',
|
|
54
|
+
title: 'Hardcoded API key',
|
|
55
|
+
},
|
|
56
|
+
],
|
|
57
|
+
stats: {
|
|
58
|
+
total: 1,
|
|
59
|
+
critical: 1,
|
|
60
|
+
high: 0,
|
|
61
|
+
medium: 0,
|
|
62
|
+
low: 0,
|
|
63
|
+
info: 0,
|
|
64
|
+
},
|
|
65
|
+
}
|
|
66
|
+
|
|
67
|
+
mkdirSync(join(testDir, '.oculum'), { recursive: true })
|
|
68
|
+
writeFileSync(join(testDir, '.oculum/baseline.json'), JSON.stringify(baseline))
|
|
69
|
+
|
|
70
|
+
const result = manager.loadBaseline()
|
|
71
|
+
expect(result.found).toBe(true)
|
|
72
|
+
expect(result.baseline).toEqual(baseline)
|
|
73
|
+
expect(result.error).toBeUndefined()
|
|
74
|
+
})
|
|
75
|
+
|
|
76
|
+
it('should return error for invalid JSON', () => {
|
|
77
|
+
mkdirSync(join(testDir, '.oculum'), { recursive: true })
|
|
78
|
+
writeFileSync(join(testDir, '.oculum/baseline.json'), 'not valid json')
|
|
79
|
+
|
|
80
|
+
const result = manager.loadBaseline()
|
|
81
|
+
expect(result.found).toBe(false)
|
|
82
|
+
expect(result.error).toContain('Failed to parse baseline')
|
|
83
|
+
})
|
|
84
|
+
|
|
85
|
+
it('should return error for unsupported version', () => {
|
|
86
|
+
const baseline = {
|
|
87
|
+
version: 99,
|
|
88
|
+
createdAt: '2024-01-15T10:00:00.000Z',
|
|
89
|
+
findings: [],
|
|
90
|
+
stats: { total: 0, critical: 0, high: 0, medium: 0, low: 0, info: 0 },
|
|
91
|
+
}
|
|
92
|
+
|
|
93
|
+
mkdirSync(join(testDir, '.oculum'), { recursive: true })
|
|
94
|
+
writeFileSync(join(testDir, '.oculum/baseline.json'), JSON.stringify(baseline))
|
|
95
|
+
|
|
96
|
+
const result = manager.loadBaseline()
|
|
97
|
+
expect(result.found).toBe(false)
|
|
98
|
+
expect(result.error).toContain('Unsupported baseline version')
|
|
99
|
+
})
|
|
100
|
+
|
|
101
|
+
it('should return error when findings array is missing', () => {
|
|
102
|
+
const baseline = {
|
|
103
|
+
version: 1,
|
|
104
|
+
createdAt: '2024-01-15T10:00:00.000Z',
|
|
105
|
+
stats: { total: 0, critical: 0, high: 0, medium: 0, low: 0, info: 0 },
|
|
106
|
+
}
|
|
107
|
+
|
|
108
|
+
mkdirSync(join(testDir, '.oculum'), { recursive: true })
|
|
109
|
+
writeFileSync(join(testDir, '.oculum/baseline.json'), JSON.stringify(baseline))
|
|
110
|
+
|
|
111
|
+
const result = manager.loadBaseline()
|
|
112
|
+
expect(result.found).toBe(false)
|
|
113
|
+
expect(result.error).toContain('missing findings array')
|
|
114
|
+
})
|
|
115
|
+
})
|
|
116
|
+
|
|
117
|
+
describe('saveBaseline', () => {
|
|
118
|
+
it('should save a baseline from scan result', () => {
|
|
119
|
+
const scanResult: ScanResult = {
|
|
120
|
+
repoName: 'test/repo',
|
|
121
|
+
repoUrl: 'https://github.com/test/repo',
|
|
122
|
+
branch: 'main',
|
|
123
|
+
filesScanned: 10,
|
|
124
|
+
filesSkipped: 2,
|
|
125
|
+
vulnerabilities: [
|
|
126
|
+
{
|
|
127
|
+
filePath: 'src/test.ts',
|
|
128
|
+
lineNumber: 10,
|
|
129
|
+
category: 'hardcoded_secret',
|
|
130
|
+
severity: 'critical',
|
|
131
|
+
title: 'Hardcoded API key',
|
|
132
|
+
description: 'Test description',
|
|
133
|
+
confidence: 'high',
|
|
134
|
+
layer: 1,
|
|
135
|
+
lineContent: 'const API_KEY = "sk-1234567890"',
|
|
136
|
+
},
|
|
137
|
+
],
|
|
138
|
+
severityCounts: { critical: 1, high: 0, medium: 0, low: 0, info: 0 },
|
|
139
|
+
categoryCounts: {},
|
|
140
|
+
hasBlockingIssues: true,
|
|
141
|
+
scanDuration: 1000,
|
|
142
|
+
timestamp: '2024-01-15T10:00:00.000Z',
|
|
143
|
+
}
|
|
144
|
+
|
|
145
|
+
const result = manager.saveBaseline(scanResult, { scanDepth: 'local' })
|
|
146
|
+
|
|
147
|
+
expect(result.success).toBe(true)
|
|
148
|
+
expect(existsSync(result.path)).toBe(true)
|
|
149
|
+
|
|
150
|
+
// Verify saved content
|
|
151
|
+
const content = readFileSync(result.path, 'utf-8')
|
|
152
|
+
const baseline = JSON.parse(content) as BaselineData
|
|
153
|
+
|
|
154
|
+
expect(baseline.version).toBe(1)
|
|
155
|
+
expect(baseline.findings).toHaveLength(1)
|
|
156
|
+
expect(baseline.findings[0].title).toBe('Hardcoded API key')
|
|
157
|
+
expect(baseline.stats.critical).toBe(1)
|
|
158
|
+
expect(baseline.scanDepth).toBe('local')
|
|
159
|
+
})
|
|
160
|
+
|
|
161
|
+
it('should create .oculum directory if it does not exist', () => {
|
|
162
|
+
const scanResult: ScanResult = {
|
|
163
|
+
repoName: 'test/repo',
|
|
164
|
+
repoUrl: 'https://github.com/test/repo',
|
|
165
|
+
branch: 'main',
|
|
166
|
+
filesScanned: 0,
|
|
167
|
+
filesSkipped: 0,
|
|
168
|
+
vulnerabilities: [],
|
|
169
|
+
severityCounts: { critical: 0, high: 0, medium: 0, low: 0, info: 0 },
|
|
170
|
+
categoryCounts: {},
|
|
171
|
+
hasBlockingIssues: false,
|
|
172
|
+
scanDuration: 100,
|
|
173
|
+
timestamp: '2024-01-15T10:00:00.000Z',
|
|
174
|
+
}
|
|
175
|
+
|
|
176
|
+
expect(existsSync(join(testDir, '.oculum'))).toBe(false)
|
|
177
|
+
|
|
178
|
+
const result = manager.saveBaseline(scanResult)
|
|
179
|
+
|
|
180
|
+
expect(result.success).toBe(true)
|
|
181
|
+
expect(existsSync(join(testDir, '.oculum'))).toBe(true)
|
|
182
|
+
})
|
|
183
|
+
})
|
|
184
|
+
|
|
185
|
+
describe('clearBaseline', () => {
|
|
186
|
+
it('should return success with existed: false when no baseline exists', () => {
|
|
187
|
+
const result = manager.clearBaseline()
|
|
188
|
+
expect(result.success).toBe(true)
|
|
189
|
+
expect(result.existed).toBe(false)
|
|
190
|
+
})
|
|
191
|
+
|
|
192
|
+
it('should delete existing baseline', () => {
|
|
193
|
+
// Create baseline file
|
|
194
|
+
mkdirSync(join(testDir, '.oculum'), { recursive: true })
|
|
195
|
+
writeFileSync(join(testDir, '.oculum/baseline.json'), '{}')
|
|
196
|
+
|
|
197
|
+
expect(existsSync(join(testDir, '.oculum/baseline.json'))).toBe(true)
|
|
198
|
+
|
|
199
|
+
const result = manager.clearBaseline()
|
|
200
|
+
|
|
201
|
+
expect(result.success).toBe(true)
|
|
202
|
+
expect(result.existed).toBe(true)
|
|
203
|
+
expect(existsSync(join(testDir, '.oculum/baseline.json'))).toBe(false)
|
|
204
|
+
})
|
|
205
|
+
})
|
|
206
|
+
|
|
207
|
+
describe('hasBaseline', () => {
|
|
208
|
+
it('should return false when no baseline exists', () => {
|
|
209
|
+
expect(manager.hasBaseline()).toBe(false)
|
|
210
|
+
})
|
|
211
|
+
|
|
212
|
+
it('should return true when baseline exists', () => {
|
|
213
|
+
mkdirSync(join(testDir, '.oculum'), { recursive: true })
|
|
214
|
+
writeFileSync(join(testDir, '.oculum/baseline.json'), '{}')
|
|
215
|
+
|
|
216
|
+
expect(manager.hasBaseline()).toBe(true)
|
|
217
|
+
})
|
|
218
|
+
})
|
|
219
|
+
|
|
220
|
+
describe('getBaselinePath', () => {
|
|
221
|
+
it('should return correct path', () => {
|
|
222
|
+
expect(manager.getBaselinePath()).toBe(join(testDir, '.oculum/baseline.json'))
|
|
223
|
+
})
|
|
224
|
+
})
|
|
225
|
+
})
|