@oculum/scanner 1.0.10 → 1.0.12

package/src/layer1/urls.ts

@@ -4,6 +4,15 @@
  */
 
 import type { Vulnerability } from '../types'
+import type { ParsedFile } from '../utils/parsed-file'
+import { isTestConfigFile, isPythonFile, isInsidePythonDocstring } from '../utils/context-helpers'
+import {
+  getEnvironmentContext,
+  isInPlaceholderAttribute,
+  isDefaultParameterValue,
+  getLocalhostSeverity,
+} from '../utils/environment-context'
+import { getRouteProtectionContext } from '../utils/route-hierarchy'
 
 // Check if file is documentation/README/example
 function isDocumentationFile(filePath: string): boolean {
@@ -26,6 +35,50 @@ function isDocumentationFile(filePath: string): boolean {
   return docPatterns.some(p => p.test(filePath))
 }
 
+/**
+ * Check if file path indicates it's inside an authenticated route group
+ * Modern frameworks use route groups/layouts that handle auth at the layout level
+ *
+ * Examples:
+ * - Next.js: (authenticated)/dashboard/page.tsx, (admin)/users/page.tsx
+ * - Remix: _authenticated+/dashboard.tsx
+ * - SvelteKit: (protected)/+page.svelte
+ */
+function isInsideAuthenticatedRouteGroup(filePath: string): boolean {
+  const authRoutePatterns = [
+    // Next.js App Router - route groups with auth-related names
+    /\/\(authenticated\)\//i,
+    /\/\(protected\)\//i,
+    /\/\(auth\)\//i,
+    /\/\(admin\)\//i,
+    /\/\(dashboard\)\//i,
+    /\/\(private\)\//i,
+    /\/\(secure\)\//i,
+    /\/\(user\)\//i,
+    /\/\(account\)\//i,
+    /\/\(settings\)\//i,
+    /\/\(app\)\//i,           // Common pattern for authenticated app routes
+
+    // Remix - authenticated route conventions
+    /\/_authenticated\+\//i,
+    /\/_protected\+\//i,
+    /\/_auth\+\//i,
+    /\/__authenticated\//i,
+
+    // Generic patterns that indicate auth-protected sections
+    /\/dashboard\//i,
+    /\/admin\//i,
+    /\/account\//i,
+    /\/settings\//i,
+    /\/profile\//i,
+    /\/my-/i,                 // /my-account/, /my-orders/
+    /\/user\//i,
+    /\/users\/\[/i,           // /users/[userId]/ - user-specific routes
+  ]
+
+  return authRoutePatterns.some(p => p.test(filePath))
+}
+
 // Check if file is a config/constants file where localhost is expected
 function isDevConfigFile(filePath: string): boolean {
   const devConfigPatterns = [
@@ -44,6 +97,37 @@ function isDevConfigFile(filePath: string): boolean {
   return devConfigPatterns.some(p => p.test(filePath))
 }
 
+// Check if file is a locale/i18n file where URLs are example placeholders
+function isLocaleFile(filePath: string): boolean {
+  const localePatterns = [
+    /\/locales?\//i,           // /locale/ or /locales/
+    /\/i18n\//i,               // /i18n/
+    /\/translations?\//i,      // /translation/ or /translations/
+    /\/lang\//i,               // /lang/
+    /\/languages?\//i,         // /language/ or /languages/
+    /\.\w{2}(-\w{2})?\.json$/i, // .en.json, .zh-CN.json, etc.
+  ]
+  return localePatterns.some(p => p.test(filePath))
+}
+
+// Check if line contains URL placeholder/example text
+function isUrlPlaceholderText(line: string): boolean {
+  const placeholderPatterns = [
+    /placeholder['"]\s*:/i,      // "placeholder": "http://..."
+    /example['"]\s*:/i,          // "example": "http://..."
+    /e\.g\./i,                   // e.g. http://localhost
+    /for\s+example/i,            // for example http://...
+    /such\s+as/i,                // such as http://localhost
+    /like\s+http/i,              // like http://localhost
+    /格式.*http/i,               // Chinese: format http://...
+    /例如.*http/i,               // Chinese: for example http://...
+    /beispiel.*http/i,           // German: example http://...
+    /ejemplo.*http/i,            // Spanish: example http://...
+    /exemple.*http/i,            // French: example http://...
+  ]
+  return placeholderPatterns.some(p => p.test(line))
+}
+
 // URL patterns that may indicate security issues
 const URL_PATTERNS = [
   // Internal/staging endpoints in production code
@@ -84,18 +168,20 @@ const URL_PATTERNS = [
     description: 'Hardcoded test environment URL found',
   },
 
-  // Admin/sensitive endpoints - downgraded to info (these are often intentional)
+  // Admin/sensitive endpoints - heavily downgraded
+  // In most modern frameworks, these are protected by middleware or layout auth
+  // Flagging them creates noise when they're inside authenticated route groups
   {
     pattern: /['"`]\/admin(?:\/|['"`])/gi,
     name: 'Admin Endpoint',
     severity: 'info' as const,
-    description: 'Admin endpoint path found - verify access control',
+    description: 'Admin endpoint path found - typically protected by auth middleware',
   },
   {
     pattern: /['"`]\/api\/admin/gi,
     name: 'Admin API Endpoint',
-    severity: 'low' as const,  // Downgraded from medium
-    description: 'Admin API endpoint found - verify access control',
+    severity: 'info' as const,  // Downgraded from low - usually behind middleware
+    description: 'Admin API endpoint found - typically protected by auth middleware',
   },
 
   // API keys in URLs
@@ -178,6 +264,33 @@ function isEnvVarReference(lineContent: string): boolean {
          lineContent.includes('import.meta.env')
 }
 
+/**
+ * Check if localhost URL is used as a fallback default value
+ * This is a common safe pattern in development:
+ * - process.env.API_URL || 'http://localhost:3000'
+ * - baseUrl ?? 'http://localhost:3000'
+ * - config.url || 'http://localhost'
+ * - config?.url ?? 'http://localhost'
+ */
+function isLocalhostFallback(lineContent: string): boolean {
+  const fallbackPatterns = [
+    // Logical OR fallback: something || 'http://localhost...'
+    /\|\|\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+    // Nullish coalescing fallback: something ?? 'http://localhost...'
+    /\?\?\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+    // Default parameter: = 'http://localhost...'
+    /=\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)[^'"]*['"`]\s*(,|\)|$)/i,
+    // Ternary with env check: process.env.X ? ... : 'http://localhost'
+    /process\.env\.\w+\s*\?\s*[^:]+\s*:\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+    // Object property default: url: process.env.X || 'http://localhost'
+    /:\s*process\.env\.\w+\s*\|\|\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+    // Import.meta.env fallback
+    /import\.meta\.env\.\w+\s*\|\|\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+    /import\.meta\.env\.\w+\s*\?\?\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+  ]
+  return fallbackPatterns.some(p => p.test(lineContent))
+}
+
 // Get URL context for smarter detection
 function getURLContext(lineContent: string, filePath: string): {
   isDevOnly: boolean
@@ -240,7 +353,8 @@ export function aggregateLocalhostFindings(
 
 export function detectSensitiveURLs(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
@@ -249,9 +363,18 @@ export function detectSensitiveURLs(
     return vulnerabilities
   }
 
-  const lines = content.split('\n')
+  // Get environment context for smart handling
+  const envContext = getEnvironmentContext(filePath)
+
+  // Get route protection context
+  const routeHierarchy = getRouteProtectionContext(filePath)
+
+  const lines = options?.parsed?.lines ?? content.split('\n')
   const inTestFile = isTestFile(filePath)
   const inDevConfig = isDevConfigFile(filePath)
+  const inTestConfig = isTestConfigFile(filePath)
+  const isPython = isPythonFile(filePath)
+  const inAuthRoute = isInsideAuthenticatedRouteGroup(filePath) || routeHierarchy.isInProtectedHierarchy
 
   for (let i = 0; i < lines.length; i++) {
     const line = lines[i]
@@ -259,6 +382,11 @@ export function detectSensitiveURLs(
     // Skip comments
     if (isComment(line)) continue
 
+    // Skip Python docstrings - they often contain example URLs
+    if (isPython && isInsidePythonDocstring(lines, i)) {
+      continue
+    }
+
     // Get context for this line
     const context = getURLContext(line, filePath)
 
@@ -275,14 +403,50 @@ export function detectSensitiveURLs(
 
         // Special handling for localhost URLs
         if (/localhost|127\.0\.0\.1/i.test(url)) {
-          // Skip localhost in test files, dev-only contexts, or dev config files
-          if (context.isTestFile || context.isDevOnly || inDevConfig) {
+          // Skip localhost as fallback/default values - this is standard practice
+          // e.g., process.env.API_URL || 'http://localhost:3000'
+          if (isLocalhostFallback(line)) {
+            continue
+          }
+
+          // Use environment context for smarter handling
+          // Skip localhost in environments where it's expected (templates, tests, tooling)
+          if (envContext.allowsLocalhostDefaults) {
+            continue
+          }
+
+          // Skip localhost in test files, dev-only contexts, test config files, or dev config files
+          if (context.isTestFile || context.isDevOnly || inDevConfig || inTestConfig) {
+            continue
+          }
+
+          // Skip localhost in placeholder attributes (placeholder="https://localhost...")
+          if (isInPlaceholderAttribute(line)) {
             continue
           }
 
-          // Only flag localhost in production env files as high, otherwise info
-          const isProduction = filePath.includes('.env.production')
-          const adjustedSeverity = isProduction ? 'high' as const : 'info' as const
+          // Skip localhost when used as default parameter value
+          if (isDefaultParameterValue(line)) {
+            continue
+          }
+
+          // Skip localhost in locale/i18n files - these are example placeholders for users
+          if (isLocaleFile(filePath)) {
+            continue
+          }
+
+          // Skip localhost in placeholder/example text (e.g., "e.g. http://localhost")
+          if (isUrlPlaceholderText(line)) {
+            continue
+          }
+
+          // Use smart severity determination based on context
+          const adjustedSeverity = getLocalhostSeverity(filePath, line)
+
+          // Skip info-level findings in non-production contexts
+          if (adjustedSeverity === 'info' && !filePath.includes('.env.production')) {
+            continue
+          }
 
           vulnerabilities.push({
             id: `url-${filePath}-${i + 1}-${name}`,
@@ -292,19 +456,29 @@ export function detectSensitiveURLs(
             severity: adjustedSeverity,
             category: 'sensitive_url',
             title: name,
-            description: description + (isProduction ? ' (in production config!)' : ' (in dev/config file)'),
+            description: description + (adjustedSeverity === 'high' ? ' (in production config!)' : ' (in dev/config file)'),
             suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
-            confidence: isProduction ? 'high' : 'low',
+            confidence: adjustedSeverity === 'high' ? 'high' : 'low',
             layer: 1,
           })
         } else {
           // Normal URL handling (non-localhost)
           // Lower severity for test files - downgrade more aggressively
           let adjustedSeverity = severity
+          let contextNote = ''
+
           if (inTestFile) {
             if (severity === 'critical') adjustedSeverity = 'high'
             else if (severity === 'high') adjustedSeverity = 'low'
             else adjustedSeverity = 'info'
+            contextNote = ' (in test file)'
+          }
+
+          // Downgrade admin/sensitive endpoint findings inside authenticated route groups
+          // These routes are already protected by layout/middleware auth
+          if (inAuthRoute && (name === 'Admin Endpoint' || name === 'Admin API Endpoint')) {
+            adjustedSeverity = 'info'
+            contextNote = ' (inside authenticated route group)'
           }
 
           // Non-critical URL findings require AI validation
@@ -318,7 +492,7 @@ export function detectSensitiveURLs(
             severity: adjustedSeverity,
             category: 'sensitive_url',
             title: name,
-            description: description + (inTestFile ? ' (in test file)' : ''),
+            description: description + contextNote,
             suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
             confidence: inTestFile ? 'low' : 'medium',
             layer: 1,

package/src/layer1/weak-crypto.ts

@@ -4,6 +4,7 @@
  */
 
 import type { Vulnerability } from '../types'
+import type { ParsedFile } from '../utils/parsed-file'
 
 // Weak/deprecated cryptographic patterns
 const WEAK_CRYPTO_PATTERNS = [
@@ -16,13 +17,34 @@ const WEAK_CRYPTO_PATTERNS = [
     fix: 'Use SHA-256 or SHA-3 for hashing. For passwords, use bcrypt, scrypt, or Argon2.',
     contextCheck: (line: string) => {
       // Only flag as high if used in security context (passwords, tokens, etc.)
-      // Checksum/etag usage is acceptable for non-security purposes
-      const securityContexts = [/password/i, /token/i, /secret/i, /credential/i, /auth/i, /session/i, /key/i]
-      const checksumContexts = [/checksum/i, /hash.*file/i, /file.*hash/i, /etag/i, /content.*hash/i, /integrity/i, /digest/i, /fingerprint/i]
-      
+      // Checksum/etag/cache usage is acceptable for non-security purposes
+      const securityContexts = [/password/i, /token/i, /secret/i, /credential/i, /auth/i, /session/i, /key/i, /verify.*user/i, /sign/i]
+      const checksumContexts = [
+        /checksum/i,
+        /hash.*file/i,
+        /file.*hash/i,
+        /etag/i,
+        /content.*hash/i,
+        /integrity/i,
+        /digest/i,
+        /fingerprint/i,
+        /cache.*key/i,
+        /dedup/i,
+        /uniqueId/i,
+        /contentId/i,
+        /gravatar/i,        // Gravatar uses MD5 for email hashing
+        /avatar/i,          // Avatar URLs often use MD5
+        /blob/i,            // Blob hashing
+        /asset/i,           // Asset fingerprinting
+        /sprite/i,          // Sprite sheet hashing
+        /bundle/i,          // Bundle hashing
+        /chunk/i,           // Webpack chunk hashing
+        /manifest/i,        // Manifest hashing
+      ]
+
       const isSecurityContext = securityContexts.some(p => p.test(line))
       const isChecksumContext = checksumContexts.some(p => p.test(line))
-      
+
       // If it's clearly a checksum context, don't flag
       if (isChecksumContext && !isSecurityContext) {
         return false
@@ -38,14 +60,32 @@ const WEAK_CRYPTO_PATTERNS = [
     fix: 'Use createHash(\'sha256\') or createHash(\'sha3-256\') instead.',
     contextCheck: (line: string, _match: RegExpMatchArray, funcName?: string) => {
       // Check function name and line context for checksum indicators
-      const checksumIndicators = [/checksum/i, /etag/i, /content.*hash/i, /file.*hash/i, /integrity/i, /digest/i, /fingerprint/i, /verify.*file/i]
-      const securityIndicators = [/password/i, /token/i, /secret/i, /credential/i, /auth/i, /session/i]
-      
+      const checksumIndicators = [
+        /checksum/i,
+        /etag/i,
+        /content.*hash/i,
+        /file.*hash/i,
+        /integrity/i,
+        /digest/i,
+        /fingerprint/i,
+        /verify.*file/i,
+        /cache/i,
+        /dedup/i,
+        /gravatar/i,
+        /avatar/i,
+        /asset/i,
+        /bundle/i,
+        /chunk/i,
+        /manifest/i,
+        /sprite/i,
+      ]
+      const securityIndicators = [/password/i, /token/i, /secret/i, /credential/i, /auth/i, /session/i, /verify.*user/i, /sign/i]
+
       const lineAndFunc = funcName ? `${funcName} ${line}` : line
-      
+
       const isChecksum = checksumIndicators.some(p => p.test(lineAndFunc))
       const isSecurity = securityIndicators.some(p => p.test(lineAndFunc))
-      
+
       // Checksum use without security context = acceptable, don't flag
       if (isChecksum && !isSecurity) {
         return false
@@ -75,6 +115,23 @@ const WEAK_CRYPTO_PATTERNS = [
     severity: 'high' as const,
     description: 'DES is obsolete and easily broken. Use AES instead.',
     fix: 'Use AES-256-GCM for symmetric encryption.',
+    contextCheck: (line: string) => {
+      // DES must appear in crypto-related context, not natural language
+      // Common French/Spanish word "des" should not trigger this
+      const cryptoContexts = [
+        /cipher/i,
+        /encrypt/i,
+        /decrypt/i,
+        /crypto/i,
+        /algorithm/i,
+        /createCipher/i,
+        /\bDES\s*[.(]/i,        // DES function call like DES() or DES.encrypt()
+        /['"]DES['"]/i,         // DES as string literal
+        /DES[-_]/i,             // DES-CBC, DES_KEY, etc.
+        /[-_]DES/i,             // 3DES, etc.
+      ]
+      return cryptoContexts.some(ctx => ctx.test(line))
+    },
   },
   {
     pattern: /createCipher(?:iv)?\s*\(\s*['"]des['"]/gi,
@@ -113,6 +170,39 @@ const WEAK_CRYPTO_PATTERNS = [
     description: 'Math.random() is not cryptographically secure and should not be used for security purposes',
     fix: 'Use crypto.randomBytes() or crypto.getRandomValues() for cryptographic operations.',
     contextCheck: (line: string) => {
+      // Exclude load balancing/array selection patterns (not security-critical)
+      // Pattern: Math.random() * array.length or Math.random() * count
+      const loadBalancingPatterns = [
+        /Math\.random\s*\(\s*\)\s*\*\s*\w+\.length/i,        // * array.length
+        /Math\.random\s*\(\s*\)\s*\*\s*\w+\.keyLen/i,        // * store.keyLen (API key manager)
+        /Math\.random\s*\(\s*\)\s*\*\s*\w+\.size/i,          // * collection.size
+        /Math\.random\s*\(\s*\)\s*\*\s*\d+\s*\)/,            // * literal number in expression
+        /Math\.floor\s*\(\s*Math\.random\s*\(\s*\)\s*\*\s*\w+\.length/i,  // Math.floor(Math.random() * arr.length)
+        /Math\.floor\s*\(\s*Math\.random\s*\(\s*\)\s*\*\s*\w+\.keyLen/i,  // Math.floor(Math.random() * store.keyLen)
+        /\[\s*Math\.floor\s*\(\s*Math\.random/i,             // array[Math.floor(Math.random...)]
+        /index\s*=\s*Math\.floor\s*\(\s*Math\.random/i,      // index = Math.floor(Math.random...)
+        /pick|select|choose|shuffle|sample/i,                 // Load balancing keywords
+      ]
+
+      if (loadBalancingPatterns.some(p => p.test(line))) {
+        return false  // Don't flag - this is load balancing, not security
+      }
+
+      // Exclude fallback patterns where crypto is the primary method
+      // Pattern: crypto.randomUUID() ?? Math.random() or crypto.getRandomValues() || Math.random()
+      const fallbackPatterns = [
+        /crypto\??\.\s*randomUUID\s*\(\s*\)\s*\?\?/i,     // crypto.randomUUID() ??
+        /crypto\??\.\s*getRandomValues\s*\([^)]*\)\s*\?\?/i, // crypto.getRandomValues() ??
+        /globalThis\.crypto\??\.\s*randomUUID/i,          // globalThis.crypto.randomUUID
+        /window\.crypto\??\.\s*randomUUID/i,              // window.crypto.randomUUID
+        /\?\.\s*randomUUID\s*\(\s*\)\s*\?\?/i,            // ?.randomUUID() ??
+        /randomUUID\s*\(\s*\)\s*\?\?.*Math\.random/i,     // randomUUID() ?? ...Math.random
+      ]
+
+      if (fallbackPatterns.some(p => p.test(line))) {
+        return false  // Don't flag - Math.random is only a fallback for missing crypto API
+      }
+
       // Only flag if it looks like it's being used for security
       const securityContexts = [
         /token/i, /secret/i, /key/i, /password/i, /salt/i,
@@ -196,6 +286,20 @@ function isComment(lineContent: string): boolean {
   )
 }
 
+// Check if this is a Python file
+function isPythonFile(filePath: string): boolean {
+  return /\.py$/i.test(filePath)
+}
+
+/**
+ * Check if Python's usedforsecurity=False flag is present
+ * Python 3.9+ allows explicitly marking hash usage as non-security
+ * Example: hashlib.md5(data, usedforsecurity=False)
+ */
+function hasUsedForSecurityFalse(line: string): boolean {
+  return /usedforsecurity\s*=\s*False/i.test(line)
+}
+
 // Check if line is a pattern definition (regex or string literal in detector code)
 function isPatternDefinition(lineContent: string): boolean {
   const trimmed = lineContent.trim()
@@ -244,6 +348,22 @@ function isTestOrFixtureFile(filePath: string): boolean {
   )
 }
 
+// Check if file is a locale/translation file
+function isLocaleFile(filePath: string): boolean {
+  const lowerPath = filePath.toLowerCase()
+  return (
+    lowerPath.includes('/locales/') ||
+    lowerPath.includes('/locale/') ||
+    lowerPath.includes('/translations/') ||
+    lowerPath.includes('/i18n/') ||
+    lowerPath.includes('/lang/') ||
+    lowerPath.includes('/languages/') ||
+    // Common locale file patterns
+    /\/(en|fr|de|es|it|pt|ja|ko|zh|ru|ar|nl|pl|tr|vi|th|id|ms|fil|hi|bn|ta|te|ml|kn|gu|mr|pa|ur|sw|am|or|si|ne|km|my|lo|ka|mk|sr|hr|sl|sk|cs|hu|ro|bg|uk|el|he|fa|ps|ku|ug|yi|mn|bo|dz|dv)[-_][a-z]{2,}\.json$/i.test(lowerPath) ||
+    /locale.*\.json$/i.test(lowerPath)
+  )
+}
+
 /**
  * Find the enclosing function name for a given line
  */
@@ -267,10 +387,11 @@ function findEnclosingFunctionName(lines: string[], lineIndex: number): string |
 
 export function detectWeakCrypto(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
   
   // Skip scanner's own detector files to avoid self-detection
   if (isScannerDetectorFile(filePath)) {
@@ -282,23 +403,54 @@ export function detectWeakCrypto(
     return vulnerabilities
   }
 
+  // Skip locale/translation files (natural language text, not crypto code)
+  if (isLocaleFile(filePath)) {
+    return vulnerabilities
+  }
+
+  const isPython = isPythonFile(filePath)
+
   for (let i = 0; i < lines.length; i++) {
     const line = lines[i]
-    
+
     // Skip comments
     if (isComment(line)) continue
-    
+
     // Skip pattern definitions (detector rule definitions)
     if (isPatternDefinition(line)) continue
 
+    // Skip Python code with usedforsecurity=False flag
+    // Python 3.9+ allows explicitly marking non-security hash usage
+    if (isPython && hasUsedForSecurityFalse(line)) {
+      continue
+    }
+
     for (const cryptoPattern of WEAK_CRYPTO_PATTERNS) {
       const { pattern, name, severity, description, fix, contextCheck } = cryptoPattern
-      
+
       // Reset regex state
       const regex = new RegExp(pattern.source, pattern.flags)
       const match = regex.exec(line)
-      
+
       if (match) {
+        // Special handling for Math.random - check multi-line fallback patterns
+        if (name === 'Math.random() for Security') {
+          // Check previous 2 lines for crypto.randomUUID fallback pattern
+          // Pattern: crypto?.randomUUID?.() ?? `...${Math.random()}...`
+          const prevLines = lines.slice(Math.max(0, i - 2), i + 1).join(' ')
+          const multiLineFallbackPatterns = [
+            /crypto\??\.?\s*randomUUID\??\s*\(\s*\)\s*\?\?/i,         // crypto.randomUUID() ??
+            /globalThis\.crypto\??\.?\s*randomUUID\??\.?\s*\(/i,      // globalThis.crypto?.randomUUID?.()
+            /window\.crypto\??\.?\s*randomUUID\??\.?\s*\(/i,          // window.crypto?.randomUUID?.()
+            /\?\.\s*randomUUID\??\.?\s*\(\s*\)\s*\?\?/i,              // ?.randomUUID?.() ??
+            /crypto\??\.?\s*getRandomValues\s*\(/i,                    // crypto.getRandomValues()
+            /randomUUID\??\.?\s*\(\s*\)\s*\?\?/i,                      // randomUUID?.() ?? (generic)
+          ]
+          if (multiLineFallbackPatterns.some(p => p.test(prevLines))) {
+            continue  // Skip - Math.random is only a fallback for missing crypto API
+          }
+        }
+
         // If there's a context check, apply it
         // Pass function name for additional context
         const funcName = findEnclosingFunctionName(lines, i)