@oculum/scanner 1.0.11 → 1.0.12

package/src/layer2/dangerous-functions/math-random.ts

@@ -10,8 +10,87 @@ import {
   isSeedOrDataGenFile,
   isEducationalVulnerabilityFile,
 } from '../../utils/context-helpers'
+import type { ParsedFile } from '../../utils/parsed-file'
 import { extractFunctionContext } from './utils/control-flow'
 
+/**
+ * Check if Math.random() is used in a jitter/backoff/retry context
+ * These are legitimate uses of Math.random() for network resilience,
+ * not security-sensitive randomness.
+ *
+ * Examples:
+ *   const delay = baseDelay + Math.random() * jitter
+ *   setTimeout(retry, delay * Math.random())
+ *   await sleep(backoff * (1 + Math.random() * 0.1))
+ *
+ * @param content - Full file content
+ * @param lineNumber - The 0-indexed line number where Math.random() was found
+ */
+export function isJitterOrBackoffContext(
+  content: string,
+  lineNumber: number,
+  lines?: string[]
+): boolean {
+  const _lines = lines ?? content.split('\n')
+  const start = Math.max(0, lineNumber - 10)
+  const end = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(start, end).join('\n')
+
+  // Patterns indicating jitter/backoff/retry context
+  const jitterPatterns = [
+    // Direct keyword matches
+    /\b(jitter|backoff|retry|retries|exponential)\b/i,
+    // Delay/timeout with random
+    /setTimeout.*Math\.random/i,
+    /setInterval.*Math\.random/i,
+    /sleep.*Math\.random/i,
+    /await.*delay.*Math\.random/i,
+    // Common backoff patterns
+    /\* Math\.random\(\).*delay/i,
+    /delay\s*\*\s*Math\.random/i,
+    /Math\.random\(\)\s*\*\s*\d+.*delay/i,
+    // Retry-related function names
+    /function\s+(retry|withRetry|backoff|withBackoff|exponentialBackoff)/i,
+    // Common retry library patterns
+    /retryPolicy|retryConfig|retryOptions|maxRetries|retryCount/i,
+    // Network resilience patterns
+    /\b(throttle|debounce|rateLimit)\b.*Math\.random/i,
+    // Sampling/probability for non-security uses
+    /sampleRate|samplingRate|probability\s*[<>]=?\s*Math\.random/i,
+  ]
+
+  return jitterPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if Math.random() is used in a React key prop context
+ * This is a common pattern to force re-renders, not a security issue.
+ *
+ * Examples:
+ *   key={Math.random()}
+ *   key={`prefix-${Math.random()}`}
+ *   key={Math.random().toString()}
+ *
+ * @param lineContent - The line of code to check
+ * @param filePath - The file path (only check JSX/TSX files)
+ */
+export function isReactKeyPattern(lineContent: string, filePath: string): boolean {
+  // Only check in JSX/TSX files
+  if (!/\.[jt]sx$/.test(filePath)) {
+    return false
+  }
+
+  // Pattern: key={...Math.random()...}
+  // Matches:
+  //   key={Math.random()}
+  //   key={`foo-${Math.random()}`}
+  //   key={Math.random().toString()}
+  //   key={`${Math.random()}-bar`}
+  //   key={something + Math.random()}
+  const keyPattern = /key\s*=\s*\{[^}]*Math\.random\(\)/
+  return keyPattern.test(lineContent)
+}
+
 /**
  * Check if Math.random() is used for cosmetic/UI purposes (not security)
  * Cosmetic uses: CSS values, animations, UI variations, demo data
@@ -20,9 +99,10 @@ import { extractFunctionContext } from './utils/control-flow'
 export function isCosmeticMathRandom(
   lineContent: string,
   content: string,
-  lineNumber: number
+  lineNumber: number,
+  lines?: string[]
 ): boolean {
-  const lines = content.split('\n')
+  const _lines = lines ?? content.split('\n')
 
   // Check the line itself for cosmetic indicators
   const cosmeticLinePatterns = [
@@ -61,8 +141,8 @@ export function isCosmeticMathRandom(
 
   // Check surrounding context (5 lines before and after)
   const contextStart = Math.max(0, lineNumber - 5)
-  const contextEnd = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(contextStart, contextEnd).join('\n')
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
 
   // Context indicators of cosmetic use
   const cosmeticContextPatterns = [
@@ -402,7 +482,8 @@ export function classifyVariableNameRisk(
 export function analyzeMathRandomContext(
   content: string,
   filePath: string,
-  lineNumber: number
+  lineNumber: number,
+  lines?: string[]
 ): {
   inSecurityContext: boolean
   inTestContext: boolean
@@ -410,10 +491,10 @@ export function analyzeMathRandomContext(
   inBusinessLogicContext: boolean
   contextDescription: string
 } {
-  const lines = content.split('\n')
+  const _lines = lines ?? content.split('\n')
   const start = Math.max(0, lineNumber - 10)
-  const end = Math.min(lines.length, lineNumber + 5)
-  const context = lines.slice(start, end).join('\n')
+  const end = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(start, end).join('\n')
 
   // Security context indicators (functions, imports, comments)
   const securityPatterns = [
@@ -438,8 +519,8 @@ export function analyzeMathRandomContext(
     testContextPatterns.some(p => p.test(context))
 
   // UI/cosmetic context (reuse existing logic)
-  const lineContent = lines[lineNumber]
-  const inUIContext = isCosmeticMathRandom(lineContent, content, lineNumber)
+  const lineContent = _lines[lineNumber]
+  const inUIContext = isCosmeticMathRandom(lineContent, content, lineNumber, _lines)
 
   // Business logic context (non-security ID generation)
   // Note: UUID/CAPTCHA patterns excluded - handled by functionIntent classification
@@ -448,6 +529,14 @@ export function analyzeMathRandomContext(
     /\b(reference|tracking|confirmation)Number\b/i,
     /\b(backoff|retry|jitter|delay|timeout|latency)\b/i,
     /\b(sample|sampling|probability|chance|rollout|experiment|abtest|cohort|bucket|variant)\b/i,
+    // Load balancing and selection patterns
+    /mode\s*===?\s*['"]random['"]/i,     // mode === 'random'
+    /\.\w*index\s*%/i,                    // round-robin patterns
+    /keys?\[.*Math\.random/i,             // keys[Math.floor(Math.random() * keys.length)]
+    /\[\s*Math\.floor\s*\(\s*Math\.random/i,  // array[Math.floor(Math.random()...)]
+    /shuffle/i,                           // shuffle functions
+    /pickRandom/i,                        // pickRandom helpers
+    /randomElement/i,                     // randomElement helpers
   ]
   const inBusinessLogicContext =
     businessLogicPatterns.some(p => p.test(context)) && !inSecurityContext
@@ -473,29 +562,169 @@ export function analyzeMathRandomContext(
   }
 }
 
+/**
+ * Check if file is an animation/motion component based on file name
+ * Files with animation-related names typically use Math.random for visual effects
+ */
+export function isAnimationFile(filePath: string): boolean {
+  const animationPatterns = [
+    /animated[-_]/i,           // animated-document-scanner.tsx
+    /[-_]animation/i,          // document-animation.tsx
+    /motion[-_]/i,             // motion-component.tsx
+    /[-_]motion/i,             // scroll-motion.tsx
+    /particles?[-_]/i,         // particles-background.tsx
+    /confetti/i,               // confetti.tsx
+    /[-_]effect/i,             // hover-effect.tsx
+    /transition[-_]/i,         // transition-wrapper.tsx
+    /visual[-_]/i,             // visual-effects.tsx
+    /canvas[-_]/i,             // canvas-animation.tsx
+  ]
+  return animationPatterns.some(p => p.test(filePath))
+}
+
+/**
+ * Check if Math.random() is used for animation/motion coordinates
+ * Common in animation libraries like framer-motion, react-spring, Three.js, etc.
+ */
+export function isAnimationCoordinateUsage(lineContent: string, context: string): boolean {
+  // Object property assignments for coordinates
+  const coordinatePatterns = [
+    /\bx:\s*Math\.random/i,           // x: Math.random()
+    /\by:\s*Math\.random/i,           // y: Math.random()
+    /\bz:\s*Math\.random/i,           // z: Math.random()
+    /\bleft:\s*.*Math\.random/i,      // left: Math.random()
+    /\btop:\s*.*Math\.random/i,       // top: Math.random()
+    /\bright:\s*.*Math\.random/i,     // right: Math.random()
+    /\bbottom:\s*.*Math\.random/i,    // bottom: Math.random()
+    /\brotation:\s*.*Math\.random/i,  // rotation: Math.random()
+    /\brotateX:\s*.*Math\.random/i,   // rotateX: Math.random()
+    /\brotateY:\s*.*Math\.random/i,   // rotateY: Math.random()
+    /\brotateZ:\s*.*Math\.random/i,   // rotateZ: Math.random()
+    /\bscaleX?:\s*.*Math\.random/i,   // scale/scaleX: Math.random()
+    /\bscaleY:\s*.*Math\.random/i,    // scaleY: Math.random()
+    /\bopacity:\s*.*Math\.random/i,   // opacity: Math.random()
+    /\bduration:\s*.*Math\.random/i,  // duration: Math.random()
+    /\bdelay:\s*.*Math\.random/i,     // delay: Math.random()
+    // 3D/Three.js specific patterns
+    /\boffset\s*=.*Math\.random/i,    // offset = Math.random()
+    /useMemo\s*\(\s*\(\s*\)\s*=>\s*Math\.random/i,  // useMemo(() => Math.random(), [])
+    /\bphase\s*[:=].*Math\.random/i,  // phase: Math.random() or phase = Math.random()
+    /\bspeed\s*[:=].*Math\.random/i,  // speed: Math.random()
+    /\bangle\s*[:=].*Math\.random/i,  // angle: Math.random()
+  ]
+
+  if (coordinatePatterns.some(p => p.test(lineContent))) {
+    return true
+  }
+
+  // Motion/animation library context patterns
+  const motionLibraryPatterns = [
+    /framer-motion/i,
+    /react-spring/i,
+    /react-motion/i,
+    /gsap/i,
+    /animejs/i,
+    /popmotion/i,
+    /motion\.div/i,
+    /useSpring/i,
+    /useAnimation/i,
+    /animate\s*\(/i,
+    /keyframes/i,
+    // Three.js and React Three Fiber patterns
+    /three/i,
+    /useFrame/i,
+    /@react-three/i,
+    /Canvas/i,      // React Three Fiber Canvas
+    /mesh/i,        // Three.js mesh
+    /geometry/i,    // Three.js geometry
+    /material/i,    // Three.js material
+  ]
+
+  return motionLibraryPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if Math.random() is used in a template placeholder generator context
+ * Template systems often use random generators for placeholder values
+ *
+ * Examples:
+ *   const templates = { random: () => Math.random().toString() }
+ *   random_hex: () => Math.random().toString(16)
+ *   {{random}} placeholder generation
+ */
+export function isTemplatePlaceholderGenerator(
+  line: string,
+  content: string,
+  lineNumber: number,
+  lines?: string[]
+): boolean {
+  const _lines = lines ?? content.split('\n')
+  const contextStart = Math.max(0, lineNumber - 10)
+  const contextEnd = Math.min(_lines.length, lineNumber + 5)
+  const context = _lines.slice(contextStart, contextEnd).join('\n')
+
+  const templatePatterns = [
+    /\{\{random\w*\}\}/i,                     // {{random}}, {{random_hex}}, etc.
+    /random:\s*\(\s*\)\s*=>\s*Math\.random/i, // random: () => Math.random()
+    /random_\w+:\s*\(\s*\)\s*=>/i,            // random_int: () => ...
+    /placeholder.*random/i,                    // placeholder context
+    /templates?\s*[=:]\s*\{/i,                // templates = { or template: {
+    /generatePlaceholder/i,                    // generatePlaceholder function
+    /placeholder\s*[:=]/i,                     // placeholder: or placeholder =
+  ]
+
+  return templatePatterns.some(p => p.test(context) || p.test(line))
+}
+
 /**
  * Check if Math.random() should be skipped entirely
- * Returns true for seed files, test fixtures, captcha/puzzle, uuid, and pure cosmetic uses
+ * Returns true for seed files, test fixtures, captcha/puzzle, uuid, React keys, jitter/backoff, and pure cosmetic uses
  */
 export function shouldSkipMathRandom(
   content: string,
   filePath: string,
-  lineNumber: number
+  lineNumber: number,
+  options?: { parsed?: ParsedFile }
 ): boolean {
   // Seed/data generation files - skip entirely
   if (isSeedOrDataGenFile(filePath)) {
     return true
   }
 
+  // Animation/motion component files - skip entirely
+  // These use Math.random for visual effects, not security
+  if (isAnimationFile(filePath)) {
+    return true
+  }
+
   // Educational/intentional vulnerability files - skip entirely
   // These include OWASP Juice Shop, intentionally-vulnerable examples, etc.
   if (isEducationalVulnerabilityFile(filePath)) {
     return true
   }
 
+  // Check for React key pattern - this is a common pattern to force re-renders
+  // It's not a security issue, just a way to reset component state
+  const lines = options?.parsed?.lines ?? content.split('\n')
+  const lineContent = lines[lineNumber] || ''
+  if (isReactKeyPattern(lineContent, filePath)) {
+    return true
+  }
+
+  // Template placeholder generators - skip entirely
+  // These generate placeholder values for templates, not security tokens
+  if (isTemplatePlaceholderGenerator(lineContent, content, lineNumber, lines)) {
+    return true
+  }
+
+  // Jitter/backoff/retry patterns - legitimate non-security use of randomness
+  // Used for network resilience, rate limiting, exponential backoff, etc.
+  if (isJitterOrBackoffContext(content, lineNumber, lines)) {
+    return true
+  }
+
   // Test files with test fixture patterns
   if (isTestOrMockFile(filePath)) {
-    const lines = content.split('\n')
     const line = lines[lineNumber]
     // If in a test file and generating test data, skip
     if (
@@ -507,9 +736,7 @@ export function shouldSkipMathRandom(
   }
 
   // Pure cosmetic usage (CSS values, animations)
-  const lines = content.split('\n')
-  const lineContent = lines[lineNumber] || ''
-  if (isCosmeticMathRandom(lineContent, content, lineNumber)) {
+  if (isCosmeticMathRandom(lineContent, content, lineNumber, lines)) {
     // Additional check: if this is for animation/style, truly skip
     const pureStylePatterns = [
       /\.style\./,
@@ -524,6 +751,15 @@ export function shouldSkipMathRandom(
     }
   }
 
+  // Animation coordinate usage (x, y, rotation, etc.)
+  // Get surrounding context for animation library detection
+  const contextStart = Math.max(0, lineNumber - 15)
+  const contextEnd = Math.min(lines.length, lineNumber + 5)
+  const animContext = lines.slice(contextStart, contextEnd).join('\n')
+  if (isAnimationCoordinateUsage(lineContent, animContext)) {
+    return true
+  }
+
   // Check function context for demo/seed/captcha/uuid functions
   const functionName = extractFunctionContext(content, lineNumber)
   const functionIntent = classifyFunctionIntent(functionName)
@@ -533,5 +769,21 @@ export function shouldSkipMathRandom(
     return true
   }
 
+  // Check for fallback pattern: crypto.randomUUID?.() ?? Math.random()
+  // When a secure primary method is used with Math.random as fallback,
+  // the code is safe (Math.random only runs in environments without crypto API)
+  const prevLines = lines.slice(Math.max(0, lineNumber - 2), lineNumber + 1).join(' ')
+  const multiLineFallbackPatterns = [
+    /crypto\??\.?\s*randomUUID\??\.?\s*\(\s*\)\s*\?\?/i,         // crypto.randomUUID() ??
+    /globalThis\.crypto\??\.?\s*randomUUID\??\.?\s*\(/i,         // globalThis.crypto?.randomUUID?.()
+    /window\.crypto\??\.?\s*randomUUID\??\.?\s*\(/i,             // window.crypto?.randomUUID?.()
+    /\?\.\s*randomUUID\??\.?\s*\(\s*\)\s*\?\?/i,                 // ?.randomUUID?.() ??
+    /crypto\??\.?\s*getRandomValues\s*\(/i,                       // crypto.getRandomValues()
+    /randomUUID\??\.?\s*\(\s*\)\s*\?\?/i,                         // randomUUID?.() ?? (generic)
+  ]
+  if (multiLineFallbackPatterns.some(p => p.test(prevLines))) {
+    return true  // Skip - Math.random is only a fallback for missing crypto API
+  }
+
   return false
 }

package/src/layer2/dangerous-functions/patterns.ts

@@ -58,9 +58,11 @@ export const DANGEROUS_FUNCTIONS: DangerousFunctionPattern[] = [
   },
 
   // SQL injection risks
+  // Note: .execute is too generic (used by axios, tRPC, request utilities)
+  // Focus on .query and .raw which are more SQL-specific
   {
     name: 'Raw SQL query construction',
-    pattern: /\.(query|execute|raw)\s*\(\s*[`'"].*\$\{|\.query\s*\(\s*['"].*\+/gi,
+    pattern: /\.(query|raw)\s*\(\s*[`'"].*\$\{|\.query\s*\(\s*['"].*\+/gi,
     severity: 'critical',
     description: 'String concatenation in SQL queries can lead to SQL injection',
     suggestedFix: 'Use parameterized queries or prepared statements',

package/src/layer2/dangerous-functions/utils/control-flow.ts

@@ -1,65 +1,20 @@
 /**
  * Control Flow Analysis Utilities
  *
- * Functions for analyzing code control flow, including try-catch detection
- * and function context extraction.
+ * Backward-compatible wrappers around shared code-analysis utilities.
+ * Existing callers pass (content: string, lineNumber: number) — these
+ * wrappers create a temporary ParsedFile to delegate to the shared implementation.
  */
 
-import { isComment } from '../../../utils/context-helpers'
+import { ParsedFile } from '../../../utils/parsed-file'
+import * as codeAnalysis from '../../../utils/code-analysis'
 
 /**
  * Check if a line is inside a try-catch block
  * Looks for enclosing try { ... } catch pattern
  */
 export function isInsideTryCatch(content: string, lineNumber: number): boolean {
-  const lines = content.split('\n')
-
-  // Track brace depth and whether we're in a try block
-  let tryDepth = 0
-  let inTryBlock = false
-  const braceStack: Array<'try' | 'other'> = []
-
-  // Scan from start to the target line
-  for (let i = 0; i < lineNumber && i < lines.length; i++) {
-    const line = lines[i]
-
-    // Check for try keyword (not in a comment)
-    if (/\btry\s*\{/.test(line) && !isComment(line)) {
-      inTryBlock = true
-      tryDepth++
-      // Count opening braces on this line
-      const openBraces = (line.match(/\{/g) || []).length
-      const closeBraces = (line.match(/\}/g) || []).length
-      for (let j = 0; j < openBraces - closeBraces; j++) {
-        braceStack.push('try')
-      }
-    } else if (/\bcatch\s*\(/.test(line) && !isComment(line)) {
-      // Entering catch block - still protected
-      // Don't decrement tryDepth yet
-    } else if (/\bfinally\s*\{/.test(line) && !isComment(line)) {
-      // Entering finally block - still protected
-    } else {
-      // Track regular braces
-      const openBraces = (line.match(/\{/g) || []).length
-      const closeBraces = (line.match(/\}/g) || []).length
-
-      for (let j = 0; j < openBraces; j++) {
-        braceStack.push(inTryBlock && tryDepth > 0 ? 'try' : 'other')
-      }
-
-      for (let j = 0; j < closeBraces; j++) {
-        const popped = braceStack.pop()
-        if (popped === 'try') {
-          tryDepth--
-          if (tryDepth === 0) {
-            inTryBlock = false
-          }
-        }
-      }
-    }
-  }
-
-  return tryDepth > 0
+  return codeAnalysis.isInsideTryCatch(new ParsedFile(content, ''), lineNumber)
 }
 
 /**
@@ -67,39 +22,7 @@ export function isInsideTryCatch(content: string, lineNumber: number): boolean {
  * Looks for try { before the line and } catch after, within reasonable bounds
  */
 export function hasTryCatchNearby(content: string, lineNumber: number, windowSize: number = 20): boolean {
-  const lines = content.split('\n')
-  const startLine = Math.max(0, lineNumber - windowSize)
-  const endLine = Math.min(lines.length, lineNumber + windowSize)
-
-  // Look backward for 'try {'
-  let foundTry = false
-  for (let i = lineNumber - 1; i >= startLine; i--) {
-    const line = lines[i]
-    if (/\btry\s*\{/.test(line) && !isComment(line)) {
-      foundTry = true
-      break
-    }
-    // Stop if we hit a function boundary
-    if (/\b(function|async function|=>|class)\b/.test(line) && /\{/.test(line)) {
-      break
-    }
-  }
-
-  if (!foundTry) return false
-
-  // Look forward for '} catch'
-  for (let i = lineNumber; i < endLine; i++) {
-    const line = lines[i]
-    if (/\}\s*catch\s*\(/.test(line) && !isComment(line)) {
-      return true
-    }
-    // Stop if we hit another function boundary
-    if (i > lineNumber && /\b(function|async function|class)\b/.test(line) && /\{/.test(line)) {
-      break
-    }
-  }
-
-  return false
+  return codeAnalysis.hasTryCatchNearby(new ParsedFile(content, ''), lineNumber, windowSize)
 }
 
 /**
@@ -108,55 +31,5 @@ export function hasTryCatchNearby(content: string, lineNumber: number, windowSiz
  * Returns lowercase function name or null if not found
  */
 export function extractFunctionContext(content: string, lineNumber: number): string | null {
-  const lines = content.split('\n')
-  const start = Math.max(0, lineNumber - 20) // Increased from 10 to 20 for nested callbacks
-
-  // Look backwards for function declaration
-  for (let i = lineNumber; i >= start; i--) {
-    const line = lines[i]
-
-    // Skip anonymous arrow functions in callbacks (e.g., .map((x) => ...), .replace(/x/g, (c) => ...))
-    // These are not the function context we're looking for
-    // Look for pattern: .methodName(..., (param) => or .methodName(...(param) =>
-    const hasMethodCallWithArrowCallback = /\.\w+\(.*\([^)]*\)\s*=>/.test(line)
-
-    // Skip lines that only have arrow callbacks in method calls
-    if (hasMethodCallWithArrowCallback && !/^(const|let|var|function|async|export)/.test(line.trim())) {
-      continue
-    }
-
-    // Named function declaration: function funcName(
-    const funcMatch = line.match(/function\s+(\w+)\s*\(/)
-    if (funcMatch) {
-      return funcMatch[1].toLowerCase()
-    }
-
-    // Arrow function with const/let/var: const funcName = () => | const funcName = async () =>
-    // Must have => after the parameters to distinguish from const x = (expression)
-    // Also handles TypeScript return type annotations: const funcName = (): string =>
-    const arrowMatch = line.match(/(const|let|var)\s+(\w+)\s*=\s*(?:async\s*)?\([^)]*\)(?:\s*:\s*\w+)?\s*=>/)
-    if (arrowMatch) {
-      return arrowMatch[2].toLowerCase()
-    }
-
-    // Method declaration: methodName() { or async methodName() {
-    const methodMatch = line.match(/^\s*(?:async\s+)?(\w+)\s*\([^)]*\)\s*\{/)
-    if (methodMatch) {
-      return methodMatch[1].toLowerCase()
-    }
-
-    // Export function: export function funcName( or export const funcName = () =>
-    const exportFuncMatch = line.match(/export\s+(?:async\s+)?function\s+(\w+)\s*\(/)
-    if (exportFuncMatch) {
-      return exportFuncMatch[1].toLowerCase()
-    }
-
-    // Also handles TypeScript return type annotations: export const funcName = (): string =>
-    const exportConstMatch = line.match(/export\s+const\s+(\w+)\s*=\s*(?:async\s*)?\([^)]*\)(?:\s*:\s*\w+)?\s*=>/)
-    if (exportConstMatch) {
-      return exportConstMatch[1].toLowerCase()
-    }
-  }
-
-  return null
+  return codeAnalysis.extractFunctionContext(new ParsedFile(content, ''), lineNumber)
 }

package/src/layer2/dangerous-functions/utils/schema-validation.ts

@@ -72,12 +72,13 @@ export function hasManualValidation(content: string): boolean {
  */
 export function hasSQLWhitelistValidation(content: string, lineNumber: number): boolean {
   const lines = content.split('\n')
-  const contextStart = Math.max(0, lineNumber - 15)
+  const contextStart = Math.max(0, lineNumber - 20)
   const contextEnd = Math.min(lines.length, lineNumber + 5)
   const context = lines.slice(contextStart, contextEnd).join('\n')
 
   // Whitelist/allowlist validation patterns
   const whitelistPatterns = [
+    // Array-based whitelists
     /allowed\w*\s*=\s*\[/i, // allowedColumns = [...]
     /whitelist\w*\s*=\s*\[/i, // whitelistFields = [...]
     /valid\w*\s*=\s*\[/i, // validColumns = [...]
@@ -85,6 +86,20 @@ export function hasSQLWhitelistValidation(content: string, lineNumber: number):
     /\.includes\s*\([^)]*\)/i, // allowedColumns.includes(col)
     /\.every\s*\([^)]*\.includes/i, // columns.every(c => allowed.includes(c))
     /if\s*\(\s*!.*\.includes/i, // if (!allowed.includes(...))
+
+    // Object-based whitelists (Record<string, string>)
+    /\w+\s+in\s+\w*(?:sortable|allowed|valid|whitelist)\w*/i, // sorter in sortableFields
+    /\w+\s+in\s+\w+Fields/i, // key in someFields
+    /:\s*Record<string,\s*string>/i, // Type annotation: Record<string, string>
+    /const\s+\w+Fields\s*:\s*\{[^}]*\}\s*=/i, // const xyzFields: {...} = (inline type)
+    /const\s+\w+Fields\s*=\s*\{[^}]*\}/i, // const xyzFields = { ... }
+    /if\s*\([^)]*\s+in\s+\w+Fields\s*\)/i, // if (x in yFields)
+    /&&\s*\w+\s+in\s+\w+/i, // && sorter in sortableFields
+
+    // Enum-based validation (ASC/DESC, etc.)
+    /===?\s*['"](?:ASC|DESC)['"]/i, // === 'ASC' or === 'DESC'
+    /===?\s*\w+\.(?:Asc|Desc|ASC|DESC)/i, // === SortType.Asc
+    /toLowerCase\s*\(\s*\)\s*===?\s*\w+\.(?:asc|desc)/i, // .toLowerCase() === SortType.asc
   ]
 
   return whitelistPatterns.some(p => p.test(context))

package/src/layer2/data-exposure.ts

@@ -5,6 +5,7 @@
  */
 
 import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import type { ParsedFile } from '../utils/parsed-file'
 import { isComment, isTestOrMockFile, isScannerOrFixtureFile } from '../utils/context-helpers'
 
 interface DataExposurePattern {
@@ -18,44 +19,17 @@ interface DataExposurePattern {
 
 const DATA_EXPOSURE_PATTERNS: DataExposurePattern[] = [
   // ============================================================================
-  // LOG SINKS (generally lower severity - server-side only)
-  // These are hygiene issues, not security vulnerabilities in most cases
+  // LOG SINKS - DISABLED
+  // Server logs are never exposed to users. After analysis of real codebases,
+  // 100% of console.error/warn findings were false positives.
+  // Logging is a standard debugging practice, not a security vulnerability.
   // ============================================================================
 
-  // Logging sensitive variables - kept low/info
-  // NOTE: Generic "query" or "search" logging is NOT flagged - only actual sensitive data
-  {
-    name: 'Logging user ID',
-    pattern: /console\.(log|info|debug|warn|error)\s*\([^)]*\b(userId|user_id|user\.id)\b/gi,
-    sink: 'log',
-    severity: 'info',
-    description: 'User ID logged to console. Common debugging practice - verify logs are secured.',
-    suggestedFix: 'Use structured logging with appropriate access controls. Remove before production if not needed.',
-  },
-  {
-    name: 'Logging error objects',
-    pattern: /console\.(log|error|warn)\s*\(\s*(err|error|e)\s*\)/gi,
-    sink: 'log',
-    severity: 'info', // Downgraded from 'low' - this is standard practice
-    description: 'Error object logged to console. Standard debugging practice, but may expose stack traces in logs.',
-    suggestedFix: 'Consider logging only error.message in production. Use structured logging for better control.',
-  },
-  {
-    name: 'Logging request body',
-    pattern: /console\.(log|info|debug)\s*\([^)]*\b(req\.body|request\.body|body)\b/gi,
-    sink: 'log',
-    severity: 'low',
-    description: 'Request body logged to console. May contain sensitive user input.',
-    suggestedFix: 'Redact sensitive fields (passwords, tokens) before logging.',
-  },
-  {
-    name: 'JSON.stringify error to log',
-    pattern: /console\.(log|error|warn)\s*\([^)]*JSON\.stringify\s*\(\s*(err|error|e)\s*\)/gi,
-    sink: 'log',
-    severity: 'info',
-    description: 'Error object serialized to JSON for logging. May include stack traces.',
-    suggestedFix: 'Consider logging specific error properties instead of the full serialized object.',
-  },
+  // NOTE: The following patterns have been REMOVED to eliminate false positives:
+  // - 'Logging user ID' - user IDs in logs are standard practice
+  // - 'Logging error objects' - console.error(err) is correct error handling
+  // - 'Logging request body' - server logs are not exposed to clients
+  // - 'JSON.stringify error to log' - serializing errors for logs is fine
 
   // ============================================================================
   // RESPONSE SINKS (higher severity - exposed to clients)
@@ -171,14 +145,15 @@ function isLowRiskLoggingFile(filePath: string): boolean {
  */
 export function detectDataExposure(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
   // Skip scanner/fixture files to avoid self-detection
   if (isScannerOrFixtureFile(filePath)) return vulnerabilities
 
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
   const isTestFile = isTestOrMockFile(filePath)
   const isLowRiskFile = isLowRiskLoggingFile(filePath)