@oculum/scanner 1.0.11 → 1.0.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/ai-context/index.d.ts +6 -0
- package/dist/ai-context/index.d.ts.map +1 -0
- package/dist/ai-context/index.js +13 -0
- package/dist/ai-context/index.js.map +1 -0
- package/dist/ai-context/manager.d.ts +67 -0
- package/dist/ai-context/manager.d.ts.map +1 -0
- package/dist/ai-context/manager.js +104 -0
- package/dist/ai-context/manager.js.map +1 -0
- package/dist/category-filter.d.ts +125 -0
- package/dist/category-filter.d.ts.map +1 -0
- package/dist/category-filter.js +360 -0
- package/dist/category-filter.js.map +1 -0
- package/dist/detect/ai-code/agent-tools.d.ts +22 -0
- package/dist/detect/ai-code/agent-tools.d.ts.map +1 -0
- package/dist/detect/ai-code/agent-tools.js +1509 -0
- package/dist/detect/ai-code/agent-tools.js.map +1 -0
- package/dist/detect/ai-code/byok-patterns.d.ts +15 -0
- package/dist/detect/ai-code/byok-patterns.d.ts.map +1 -0
- package/dist/detect/ai-code/byok-patterns.js +313 -0
- package/dist/detect/ai-code/byok-patterns.js.map +1 -0
- package/dist/detect/ai-code/endpoint-protection.d.ts +38 -0
- package/dist/detect/ai-code/endpoint-protection.d.ts.map +1 -0
- package/dist/detect/ai-code/endpoint-protection.js +349 -0
- package/dist/detect/ai-code/endpoint-protection.js.map +1 -0
- package/dist/detect/ai-code/execution-sinks.d.ts +21 -0
- package/dist/detect/ai-code/execution-sinks.d.ts.map +1 -0
- package/dist/detect/ai-code/execution-sinks.js +1158 -0
- package/dist/detect/ai-code/execution-sinks.js.map +1 -0
- package/dist/detect/ai-code/fingerprinting.d.ts +10 -0
- package/dist/detect/ai-code/fingerprinting.d.ts.map +1 -0
- package/dist/detect/ai-code/fingerprinting.js +665 -0
- package/dist/detect/ai-code/fingerprinting.js.map +1 -0
- package/dist/detect/ai-code/index.d.ts +12 -0
- package/dist/detect/ai-code/index.d.ts.map +1 -0
- package/dist/detect/ai-code/index.js +26 -0
- package/dist/detect/ai-code/index.js.map +1 -0
- package/dist/detect/ai-code/mcp-security.d.ts +20 -0
- package/dist/detect/ai-code/mcp-security.d.ts.map +1 -0
- package/dist/detect/ai-code/mcp-security.js +880 -0
- package/dist/detect/ai-code/mcp-security.js.map +1 -0
- package/dist/detect/ai-code/model-supply-chain.d.ts +23 -0
- package/dist/detect/ai-code/model-supply-chain.d.ts.map +1 -0
- package/dist/detect/ai-code/model-supply-chain.js +447 -0
- package/dist/detect/ai-code/model-supply-chain.js.map +1 -0
- package/dist/detect/ai-code/package-hallucination.d.ts +22 -0
- package/dist/detect/ai-code/package-hallucination.d.ts.map +1 -0
- package/dist/detect/ai-code/package-hallucination.js +841 -0
- package/dist/detect/ai-code/package-hallucination.js.map +1 -0
- package/dist/detect/ai-code/prompt-hygiene.d.ts +22 -0
- package/dist/detect/ai-code/prompt-hygiene.d.ts.map +1 -0
- package/dist/detect/ai-code/prompt-hygiene.js +1177 -0
- package/dist/detect/ai-code/prompt-hygiene.js.map +1 -0
- package/dist/detect/ai-code/rag-safety.d.ts +24 -0
- package/dist/detect/ai-code/rag-safety.d.ts.map +1 -0
- package/dist/detect/ai-code/rag-safety.js +913 -0
- package/dist/detect/ai-code/rag-safety.js.map +1 -0
- package/dist/detect/ai-code/schema-validation.d.ts +28 -0
- package/dist/detect/ai-code/schema-validation.d.ts.map +1 -0
- package/dist/detect/ai-code/schema-validation.js +378 -0
- package/dist/detect/ai-code/schema-validation.js.map +1 -0
- package/dist/detect/config/agent-skill-injection.d.ts +27 -0
- package/dist/detect/config/agent-skill-injection.d.ts.map +1 -0
- package/dist/detect/config/agent-skill-injection.js +472 -0
- package/dist/detect/config/agent-skill-injection.js.map +1 -0
- package/dist/detect/config/comments.d.ts +11 -0
- package/dist/detect/config/comments.d.ts.map +1 -0
- package/dist/detect/config/comments.js +206 -0
- package/dist/detect/config/comments.js.map +1 -0
- package/dist/detect/config/file-flags.d.ts +10 -0
- package/dist/detect/config/file-flags.d.ts.map +1 -0
- package/dist/detect/config/file-flags.js +124 -0
- package/dist/detect/config/file-flags.js.map +1 -0
- package/dist/detect/config/index.d.ts +7 -0
- package/dist/detect/config/index.d.ts.map +1 -0
- package/dist/detect/config/index.js +17 -0
- package/dist/detect/config/index.js.map +1 -0
- package/dist/detect/config/osv-check.d.ts +75 -0
- package/dist/detect/config/osv-check.d.ts.map +1 -0
- package/dist/detect/config/osv-check.js +309 -0
- package/dist/detect/config/osv-check.js.map +1 -0
- package/dist/detect/config/package-check.d.ts +63 -0
- package/dist/detect/config/package-check.d.ts.map +1 -0
- package/dist/detect/config/package-check.js +509 -0
- package/dist/detect/config/package-check.js.map +1 -0
- package/dist/detect/config/urls.d.ts +11 -0
- package/dist/detect/config/urls.d.ts.map +1 -0
- package/dist/detect/config/urls.js +450 -0
- package/dist/detect/config/urls.js.map +1 -0
- package/dist/detect/index.d.ts +37 -0
- package/dist/detect/index.d.ts.map +1 -0
- package/dist/detect/index.js +77 -0
- package/dist/detect/index.js.map +1 -0
- package/dist/detect/secrets/config-audit.d.ts +11 -0
- package/dist/detect/secrets/config-audit.d.ts.map +1 -0
- package/dist/detect/secrets/config-audit.js +315 -0
- package/dist/detect/secrets/config-audit.js.map +1 -0
- package/dist/detect/secrets/config-mcp-audit.d.ts +23 -0
- package/dist/detect/secrets/config-mcp-audit.d.ts.map +1 -0
- package/dist/detect/secrets/config-mcp-audit.js +243 -0
- package/dist/detect/secrets/config-mcp-audit.js.map +1 -0
- package/dist/detect/secrets/entropy.d.ts +11 -0
- package/dist/detect/secrets/entropy.d.ts.map +1 -0
- package/dist/detect/secrets/entropy.js +751 -0
- package/dist/detect/secrets/entropy.js.map +1 -0
- package/dist/detect/secrets/index.d.ts +36 -0
- package/dist/detect/secrets/index.d.ts.map +1 -0
- package/dist/detect/secrets/index.js +174 -0
- package/dist/detect/secrets/index.js.map +1 -0
- package/dist/detect/secrets/patterns.d.ts +11 -0
- package/dist/detect/secrets/patterns.d.ts.map +1 -0
- package/dist/detect/secrets/patterns.js +518 -0
- package/dist/detect/secrets/patterns.js.map +1 -0
- package/dist/detect/secrets/weak-crypto.d.ts +10 -0
- package/dist/detect/secrets/weak-crypto.d.ts.map +1 -0
- package/dist/detect/secrets/weak-crypto.js +432 -0
- package/dist/detect/secrets/weak-crypto.js.map +1 -0
- package/dist/detect/structural/auth-patterns.d.ts +22 -0
- package/dist/detect/structural/auth-patterns.d.ts.map +1 -0
- package/dist/detect/structural/auth-patterns.js +533 -0
- package/dist/detect/structural/auth-patterns.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/child-process.d.ts +16 -0
- package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/child-process.js +74 -0
- package/dist/detect/structural/dangerous-functions/child-process.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +34 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.js +230 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/index.d.ts +16 -0
- package/dist/detect/structural/dangerous-functions/index.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/index.js +1193 -0
- package/dist/detect/structural/dangerous-functions/index.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts +31 -0
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/json-parse.js +326 -0
- package/dist/detect/structural/dangerous-functions/json-parse.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/math-random.d.ts +111 -0
- package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/math-random.js +684 -0
- package/dist/detect/structural/dangerous-functions/math-random.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/patterns.d.ts +21 -0
- package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/patterns.js +163 -0
- package/dist/detect/structural/dangerous-functions/patterns.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts +13 -0
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/request-validation.js +126 -0
- package/dist/detect/structural/dangerous-functions/request-validation.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +24 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js +70 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +31 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.js +147 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts +9 -0
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/index.js +23 -0
- package/dist/detect/structural/dangerous-functions/utils/index.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +22 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +102 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +1 -0
- package/dist/detect/structural/data-exposure.d.ts +19 -0
- package/dist/detect/structural/data-exposure.d.ts.map +1 -0
- package/dist/detect/structural/data-exposure.js +262 -0
- package/dist/detect/structural/data-exposure.js.map +1 -0
- package/dist/detect/structural/framework-checks.d.ts +10 -0
- package/dist/detect/structural/framework-checks.d.ts.map +1 -0
- package/dist/detect/structural/framework-checks.js +389 -0
- package/dist/detect/structural/framework-checks.js.map +1 -0
- package/dist/detect/structural/index.d.ts +71 -0
- package/dist/detect/structural/index.d.ts.map +1 -0
- package/dist/detect/structural/index.js +510 -0
- package/dist/detect/structural/index.js.map +1 -0
- package/dist/detect/structural/log-injection.d.ts +18 -0
- package/dist/detect/structural/log-injection.d.ts.map +1 -0
- package/dist/detect/structural/log-injection.js +217 -0
- package/dist/detect/structural/log-injection.js.map +1 -0
- package/dist/detect/structural/logic-gates.d.ts +10 -0
- package/dist/detect/structural/logic-gates.d.ts.map +1 -0
- package/dist/detect/structural/logic-gates.js +227 -0
- package/dist/detect/structural/logic-gates.js.map +1 -0
- package/dist/detect/structural/risky-imports.d.ts +10 -0
- package/dist/detect/structural/risky-imports.d.ts.map +1 -0
- package/dist/detect/structural/risky-imports.js +168 -0
- package/dist/detect/structural/risky-imports.js.map +1 -0
- package/dist/detect/structural/security-headers.d.ts +18 -0
- package/dist/detect/structural/security-headers.d.ts.map +1 -0
- package/dist/detect/structural/security-headers.js +196 -0
- package/dist/detect/structural/security-headers.js.map +1 -0
- package/dist/detect/structural/ssrf-detection.d.ts +18 -0
- package/dist/detect/structural/ssrf-detection.d.ts.map +1 -0
- package/dist/detect/structural/ssrf-detection.js +263 -0
- package/dist/detect/structural/ssrf-detection.js.map +1 -0
- package/dist/detect/structural/variables.d.ts +11 -0
- package/dist/detect/structural/variables.d.ts.map +1 -0
- package/dist/detect/structural/variables.js +159 -0
- package/dist/detect/structural/variables.js.map +1 -0
- package/dist/detect/structural/xxe-detection.d.ts +18 -0
- package/dist/detect/structural/xxe-detection.d.ts.map +1 -0
- package/dist/detect/structural/xxe-detection.js +245 -0
- package/dist/detect/structural/xxe-detection.js.map +1 -0
- package/dist/filtering/context-adjustments.d.ts +23 -0
- package/dist/filtering/context-adjustments.d.ts.map +1 -0
- package/dist/filtering/context-adjustments.js +100 -0
- package/dist/filtering/context-adjustments.js.map +1 -0
- package/dist/filtering/index.d.ts +3 -0
- package/dist/filtering/index.d.ts.map +1 -0
- package/dist/filtering/index.js +8 -0
- package/dist/filtering/index.js.map +1 -0
- package/dist/filtering/pipeline.d.ts +48 -0
- package/dist/filtering/pipeline.d.ts.map +1 -0
- package/dist/filtering/pipeline.js +76 -0
- package/dist/filtering/pipeline.js.map +1 -0
- package/dist/formatters/ai-context.d.ts +23 -0
- package/dist/formatters/ai-context.d.ts.map +1 -0
- package/dist/formatters/ai-context.js +238 -0
- package/dist/formatters/ai-context.js.map +1 -0
- package/dist/formatters/github-comment.d.ts +1 -1
- package/dist/formatters/github-comment.d.ts.map +1 -1
- package/dist/formatters/github-comment.js +2 -2
- package/dist/formatters/github-comment.js.map +1 -1
- package/dist/formatters/ide/claude-code.d.ts +17 -0
- package/dist/formatters/ide/claude-code.d.ts.map +1 -0
- package/dist/formatters/ide/claude-code.js +94 -0
- package/dist/formatters/ide/claude-code.js.map +1 -0
- package/dist/formatters/ide/cursor.d.ts +13 -0
- package/dist/formatters/ide/cursor.d.ts.map +1 -0
- package/dist/formatters/ide/cursor.js +125 -0
- package/dist/formatters/ide/cursor.js.map +1 -0
- package/dist/formatters/ide/index.d.ts +62 -0
- package/dist/formatters/ide/index.d.ts.map +1 -0
- package/dist/formatters/ide/index.js +184 -0
- package/dist/formatters/ide/index.js.map +1 -0
- package/dist/formatters/ide/windsurf.d.ts +13 -0
- package/dist/formatters/ide/windsurf.d.ts.map +1 -0
- package/dist/formatters/ide/windsurf.js +117 -0
- package/dist/formatters/ide/windsurf.js.map +1 -0
- package/dist/formatters/index.d.ts +2 -0
- package/dist/formatters/index.d.ts.map +1 -1
- package/dist/formatters/index.js +17 -1
- package/dist/formatters/index.js.map +1 -1
- package/dist/index.d.ts +17 -60
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +67 -824
- package/dist/index.js.map +1 -1
- package/dist/layer1/comments.d.ts +4 -1
- package/dist/layer1/comments.d.ts.map +1 -1
- package/dist/layer1/comments.js +1 -1
- package/dist/layer1/comments.js.map +1 -1
- package/dist/layer1/config-audit.d.ts +4 -1
- package/dist/layer1/config-audit.d.ts.map +1 -1
- package/dist/layer1/config-audit.js +45 -11
- package/dist/layer1/config-audit.js.map +1 -1
- package/dist/layer1/config-mcp-audit.d.ts +4 -1
- package/dist/layer1/config-mcp-audit.d.ts.map +1 -1
- package/dist/layer1/config-mcp-audit.js +2 -2
- package/dist/layer1/config-mcp-audit.js.map +1 -1
- package/dist/layer1/entropy.d.ts +4 -1
- package/dist/layer1/entropy.d.ts.map +1 -1
- package/dist/layer1/entropy.js +212 -1
- package/dist/layer1/entropy.js.map +1 -1
- package/dist/layer1/file-flags.d.ts +4 -1
- package/dist/layer1/file-flags.d.ts.map +1 -1
- package/dist/layer1/file-flags.js +12 -5
- package/dist/layer1/file-flags.js.map +1 -1
- package/dist/layer1/index.d.ts.map +1 -1
- package/dist/layer1/index.js +14 -19
- package/dist/layer1/index.js.map +1 -1
- package/dist/layer1/patterns.d.ts +4 -1
- package/dist/layer1/patterns.d.ts.map +1 -1
- package/dist/layer1/patterns.js +34 -4
- package/dist/layer1/patterns.js.map +1 -1
- package/dist/layer1/urls.d.ts +4 -1
- package/dist/layer1/urls.d.ts.map +1 -1
- package/dist/layer1/urls.js +162 -14
- package/dist/layer1/urls.js.map +1 -1
- package/dist/layer1/weak-crypto.d.ts +4 -1
- package/dist/layer1/weak-crypto.d.ts.map +1 -1
- package/dist/layer1/weak-crypto.js +144 -7
- package/dist/layer1/weak-crypto.js.map +1 -1
- package/dist/layer2/ai-agent-tools.d.ts +4 -1
- package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
- package/dist/layer2/ai-agent-tools.js +661 -2
- package/dist/layer2/ai-agent-tools.js.map +1 -1
- package/dist/layer2/ai-endpoint-protection.d.ts +2 -0
- package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
- package/dist/layer2/ai-endpoint-protection.js +1 -1
- package/dist/layer2/ai-endpoint-protection.js.map +1 -1
- package/dist/layer2/ai-execution-sinks.d.ts +4 -1
- package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
- package/dist/layer2/ai-execution-sinks.js +252 -43
- package/dist/layer2/ai-execution-sinks.js.map +1 -1
- package/dist/layer2/ai-fingerprinting.d.ts +4 -1
- package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
- package/dist/layer2/ai-fingerprinting.js +25 -32
- package/dist/layer2/ai-fingerprinting.js.map +1 -1
- package/dist/layer2/ai-mcp-security.d.ts +4 -1
- package/dist/layer2/ai-mcp-security.d.ts.map +1 -1
- package/dist/layer2/ai-mcp-security.js +200 -2
- package/dist/layer2/ai-mcp-security.js.map +1 -1
- package/dist/layer2/ai-package-hallucination.d.ts +4 -1
- package/dist/layer2/ai-package-hallucination.d.ts.map +1 -1
- package/dist/layer2/ai-package-hallucination.js +136 -4
- package/dist/layer2/ai-package-hallucination.js.map +1 -1
- package/dist/layer2/ai-prompt-hygiene.d.ts +4 -1
- package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
- package/dist/layer2/ai-prompt-hygiene.js +342 -28
- package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
- package/dist/layer2/ai-rag-safety.d.ts +4 -1
- package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
- package/dist/layer2/ai-rag-safety.js +82 -2
- package/dist/layer2/ai-rag-safety.js.map +1 -1
- package/dist/layer2/ai-schema-validation.d.ts +4 -1
- package/dist/layer2/ai-schema-validation.d.ts.map +1 -1
- package/dist/layer2/ai-schema-validation.js +2 -2
- package/dist/layer2/ai-schema-validation.js.map +1 -1
- package/dist/layer2/auth-antipatterns.d.ts +2 -0
- package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
- package/dist/layer2/auth-antipatterns.js +205 -20
- package/dist/layer2/auth-antipatterns.js.map +1 -1
- package/dist/layer2/byok-patterns.d.ts +4 -1
- package/dist/layer2/byok-patterns.d.ts.map +1 -1
- package/dist/layer2/byok-patterns.js +2 -2
- package/dist/layer2/byok-patterns.js.map +1 -1
- package/dist/layer2/dangerous-functions/dom-xss.d.ts +9 -4
- package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/dom-xss.js +73 -22
- package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -1
- package/dist/layer2/dangerous-functions/index.d.ts +4 -1
- package/dist/layer2/dangerous-functions/index.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/index.js +551 -20
- package/dist/layer2/dangerous-functions/index.js.map +1 -1
- package/dist/layer2/dangerous-functions/math-random.d.ts +54 -4
- package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/math-random.js +241 -16
- package/dist/layer2/dangerous-functions/math-random.js.map +1 -1
- package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/patterns.js +3 -1
- package/dist/layer2/dangerous-functions/patterns.js.map +1 -1
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +3 -2
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/utils/control-flow.js +41 -120
- package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -1
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/utils/helpers.js +26 -3
- package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.js +14 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -1
- package/dist/layer2/data-exposure.d.ts +4 -1
- package/dist/layer2/data-exposure.d.ts.map +1 -1
- package/dist/layer2/data-exposure.js +11 -38
- package/dist/layer2/data-exposure.js.map +1 -1
- package/dist/layer2/framework-checks.d.ts +4 -1
- package/dist/layer2/framework-checks.d.ts.map +1 -1
- package/dist/layer2/framework-checks.js +3 -10
- package/dist/layer2/framework-checks.js.map +1 -1
- package/dist/layer2/index.d.ts +13 -1
- package/dist/layer2/index.d.ts.map +1 -1
- package/dist/layer2/index.js +107 -52
- package/dist/layer2/index.js.map +1 -1
- package/dist/layer2/log-injection.d.ts +18 -0
- package/dist/layer2/log-injection.d.ts.map +1 -0
- package/dist/layer2/log-injection.js +214 -0
- package/dist/layer2/log-injection.js.map +1 -0
- package/dist/layer2/logic-gates.d.ts +4 -1
- package/dist/layer2/logic-gates.d.ts.map +1 -1
- package/dist/layer2/logic-gates.js +54 -20
- package/dist/layer2/logic-gates.js.map +1 -1
- package/dist/layer2/model-supply-chain.d.ts +4 -1
- package/dist/layer2/model-supply-chain.d.ts.map +1 -1
- package/dist/layer2/model-supply-chain.js +72 -4
- package/dist/layer2/model-supply-chain.js.map +1 -1
- package/dist/layer2/risky-imports.d.ts +4 -1
- package/dist/layer2/risky-imports.d.ts.map +1 -1
- package/dist/layer2/risky-imports.js +2 -2
- package/dist/layer2/risky-imports.js.map +1 -1
- package/dist/layer2/security-headers.d.ts +18 -0
- package/dist/layer2/security-headers.d.ts.map +1 -0
- package/dist/layer2/security-headers.js +187 -0
- package/dist/layer2/security-headers.js.map +1 -0
- package/dist/layer2/ssrf-detection.d.ts +18 -0
- package/dist/layer2/ssrf-detection.d.ts.map +1 -0
- package/dist/layer2/ssrf-detection.js +252 -0
- package/dist/layer2/ssrf-detection.js.map +1 -0
- package/dist/layer2/variables.d.ts +4 -1
- package/dist/layer2/variables.d.ts.map +1 -1
- package/dist/layer2/variables.js +2 -2
- package/dist/layer2/variables.js.map +1 -1
- package/dist/layer2/xxe-detection.d.ts +18 -0
- package/dist/layer2/xxe-detection.d.ts.map +1 -0
- package/dist/layer2/xxe-detection.js +242 -0
- package/dist/layer2/xxe-detection.js.map +1 -0
- package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -1
- package/dist/layer3/anthropic/auto-dismiss.js +11 -0
- package/dist/layer3/anthropic/auto-dismiss.js.map +1 -1
- package/dist/layer3/anthropic/prompts/index.d.ts +1 -1
- package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -1
- package/dist/layer3/anthropic/prompts/index.js +3 -1
- package/dist/layer3/anthropic/prompts/index.js.map +1 -1
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +19 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +156 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +9 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.js +25 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/common.d.ts +11 -0
- package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/common.js +152 -0
- package/dist/layer3/anthropic/prompts/modules/common.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/index.d.ts +54 -0
- package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/index.js +185 -0
- package/dist/layer3/anthropic/prompts/modules/index.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +84 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +68 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +22 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +1 -0
- package/dist/layer3/anthropic/prompts/validation.d.ts +9 -3
- package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -1
- package/dist/layer3/anthropic/prompts/validation.js +14 -410
- package/dist/layer3/anthropic/prompts/validation.js.map +1 -1
- package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -1
- package/dist/layer3/anthropic/providers/anthropic.js +6 -3
- package/dist/layer3/anthropic/providers/anthropic.js.map +1 -1
- package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -1
- package/dist/layer3/anthropic/providers/openai.js +6 -3
- package/dist/layer3/anthropic/providers/openai.js.map +1 -1
- package/dist/layer3/anthropic/request-builder.d.ts +11 -4
- package/dist/layer3/anthropic/request-builder.d.ts.map +1 -1
- package/dist/layer3/anthropic/request-builder.js +32 -16
- package/dist/layer3/anthropic/request-builder.js.map +1 -1
- package/dist/layer3/anthropic/utils/context-extractor.d.ts +55 -0
- package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/context-extractor.js +161 -0
- package/dist/layer3/anthropic/utils/context-extractor.js.map +1 -0
- package/dist/layer3/anthropic/utils/index.d.ts +2 -0
- package/dist/layer3/anthropic/utils/index.d.ts.map +1 -1
- package/dist/layer3/anthropic/utils/index.js +4 -1
- package/dist/layer3/anthropic/utils/index.js.map +1 -1
- package/dist/model/auth-helper-detector.d.ts +56 -0
- package/dist/model/auth-helper-detector.d.ts.map +1 -0
- package/dist/model/auth-helper-detector.js +360 -0
- package/dist/model/auth-helper-detector.js.map +1 -0
- package/dist/model/cross-file-taint.d.ts +40 -0
- package/dist/model/cross-file-taint.d.ts.map +1 -0
- package/dist/model/cross-file-taint.js +290 -0
- package/dist/model/cross-file-taint.js.map +1 -0
- package/dist/model/framework-models/django.d.ts +9 -0
- package/dist/model/framework-models/django.d.ts.map +1 -0
- package/dist/model/framework-models/django.js +82 -0
- package/dist/model/framework-models/django.js.map +1 -0
- package/dist/model/framework-models/express.d.ts +9 -0
- package/dist/model/framework-models/express.d.ts.map +1 -0
- package/dist/model/framework-models/express.js +52 -0
- package/dist/model/framework-models/express.js.map +1 -0
- package/dist/model/framework-models/index.d.ts +20 -0
- package/dist/model/framework-models/index.d.ts.map +1 -0
- package/dist/model/framework-models/index.js +102 -0
- package/dist/model/framework-models/index.js.map +1 -0
- package/dist/model/framework-models/nextjs.d.ts +9 -0
- package/dist/model/framework-models/nextjs.d.ts.map +1 -0
- package/dist/model/framework-models/nextjs.js +71 -0
- package/dist/model/framework-models/nextjs.js.map +1 -0
- package/dist/model/framework-models/prisma.d.ts +10 -0
- package/dist/model/framework-models/prisma.d.ts.map +1 -0
- package/dist/model/framework-models/prisma.js +54 -0
- package/dist/model/framework-models/prisma.js.map +1 -0
- package/dist/model/framework-models/react.d.ts +9 -0
- package/dist/model/framework-models/react.d.ts.map +1 -0
- package/dist/model/framework-models/react.js +67 -0
- package/dist/model/framework-models/react.js.map +1 -0
- package/dist/model/framework-models/sequelize.d.ts +9 -0
- package/dist/model/framework-models/sequelize.d.ts.map +1 -0
- package/dist/model/framework-models/sequelize.js +62 -0
- package/dist/model/framework-models/sequelize.js.map +1 -0
- package/dist/model/framework-models/types.d.ts +43 -0
- package/dist/model/framework-models/types.d.ts.map +1 -0
- package/dist/model/framework-models/types.js +10 -0
- package/dist/model/framework-models/types.js.map +1 -0
- package/dist/model/function-classifier.d.ts +32 -0
- package/dist/model/function-classifier.d.ts.map +1 -0
- package/dist/model/function-classifier.js +143 -0
- package/dist/model/function-classifier.js.map +1 -0
- package/dist/model/import-resolver.d.ts +45 -0
- package/dist/model/import-resolver.d.ts.map +1 -0
- package/dist/model/import-resolver.js +410 -0
- package/dist/model/import-resolver.js.map +1 -0
- package/dist/model/imported-auth-detector.d.ts +38 -0
- package/dist/model/imported-auth-detector.d.ts.map +1 -0
- package/dist/model/imported-auth-detector.js +199 -0
- package/dist/model/imported-auth-detector.js.map +1 -0
- package/dist/model/index.d.ts +63 -0
- package/dist/model/index.d.ts.map +1 -0
- package/dist/model/index.js +272 -0
- package/dist/model/index.js.map +1 -0
- package/dist/model/middleware-detector.d.ts +55 -0
- package/dist/model/middleware-detector.d.ts.map +1 -0
- package/dist/model/middleware-detector.js +382 -0
- package/dist/model/middleware-detector.js.map +1 -0
- package/dist/model/module-graph.d.ts +46 -0
- package/dist/model/module-graph.d.ts.map +1 -0
- package/dist/model/module-graph.js +187 -0
- package/dist/model/module-graph.js.map +1 -0
- package/dist/model/oauth-flow-detector.d.ts +41 -0
- package/dist/model/oauth-flow-detector.d.ts.map +1 -0
- package/dist/model/oauth-flow-detector.js +202 -0
- package/dist/model/oauth-flow-detector.js.map +1 -0
- package/dist/model/project-context.d.ts +119 -0
- package/dist/model/project-context.d.ts.map +1 -0
- package/dist/model/project-context.js +534 -0
- package/dist/model/project-context.js.map +1 -0
- package/dist/model/route-auth-resolver.d.ts +27 -0
- package/dist/model/route-auth-resolver.d.ts.map +1 -0
- package/dist/model/route-auth-resolver.js +182 -0
- package/dist/model/route-auth-resolver.js.map +1 -0
- package/dist/model/route-discovery/express.d.ts +25 -0
- package/dist/model/route-discovery/express.d.ts.map +1 -0
- package/dist/model/route-discovery/express.js +225 -0
- package/dist/model/route-discovery/express.js.map +1 -0
- package/dist/model/route-discovery/index.d.ts +21 -0
- package/dist/model/route-discovery/index.d.ts.map +1 -0
- package/dist/model/route-discovery/index.js +67 -0
- package/dist/model/route-discovery/index.js.map +1 -0
- package/dist/model/route-discovery/nextjs.d.ts +16 -0
- package/dist/model/route-discovery/nextjs.d.ts.map +1 -0
- package/dist/model/route-discovery/nextjs.js +179 -0
- package/dist/model/route-discovery/nextjs.js.map +1 -0
- package/dist/model/route-discovery/python.d.ts +16 -0
- package/dist/model/route-discovery/python.d.ts.map +1 -0
- package/dist/model/route-discovery/python.js +181 -0
- package/dist/model/route-discovery/python.js.map +1 -0
- package/dist/model/route-discovery/types.d.ts +36 -0
- package/dist/model/route-discovery/types.d.ts.map +1 -0
- package/dist/model/route-discovery/types.js +16 -0
- package/dist/model/route-discovery/types.js.map +1 -0
- package/dist/model/route-discovery/utils.d.ts +18 -0
- package/dist/model/route-discovery/utils.d.ts.map +1 -0
- package/dist/model/route-discovery/utils.js +55 -0
- package/dist/model/route-discovery/utils.js.map +1 -0
- package/dist/model/route-hierarchy.d.ts +50 -0
- package/dist/model/route-hierarchy.d.ts.map +1 -0
- package/dist/model/route-hierarchy.js +226 -0
- package/dist/model/route-hierarchy.js.map +1 -0
- package/dist/model/sanitiser-detection.d.ts +27 -0
- package/dist/model/sanitiser-detection.d.ts.map +1 -0
- package/dist/model/sanitiser-detection.js +224 -0
- package/dist/model/sanitiser-detection.js.map +1 -0
- package/dist/model/sink-matcher.d.ts +17 -0
- package/dist/model/sink-matcher.d.ts.map +1 -0
- package/dist/model/sink-matcher.js +141 -0
- package/dist/model/sink-matcher.js.map +1 -0
- package/dist/model/sink-patterns.d.ts +19 -0
- package/dist/model/sink-patterns.d.ts.map +1 -0
- package/dist/model/sink-patterns.js +88 -0
- package/dist/model/sink-patterns.js.map +1 -0
- package/dist/model/source-discovery.d.ts +15 -0
- package/dist/model/source-discovery.d.ts.map +1 -0
- package/dist/model/source-discovery.js +170 -0
- package/dist/model/source-discovery.js.map +1 -0
- package/dist/model/taint-tracker.d.ts +21 -0
- package/dist/model/taint-tracker.d.ts.map +1 -0
- package/dist/model/taint-tracker.js +281 -0
- package/dist/model/taint-tracker.js.map +1 -0
- package/dist/model/taint-types.d.ts +74 -0
- package/dist/model/taint-types.d.ts.map +1 -0
- package/dist/model/taint-types.js +9 -0
- package/dist/model/taint-types.js.map +1 -0
- package/dist/model/trpc-analyzer.d.ts +78 -0
- package/dist/model/trpc-analyzer.d.ts.map +1 -0
- package/dist/model/trpc-analyzer.js +297 -0
- package/dist/model/trpc-analyzer.js.map +1 -0
- package/dist/modes/incremental.js +1 -1
- package/dist/parse/file-classifier.d.ts +228 -0
- package/dist/parse/file-classifier.d.ts.map +1 -0
- package/dist/parse/file-classifier.js +933 -0
- package/dist/parse/file-classifier.js.map +1 -0
- package/dist/parse/path-exclusions.d.ts +55 -0
- package/dist/parse/path-exclusions.d.ts.map +1 -0
- package/dist/parse/path-exclusions.js +224 -0
- package/dist/parse/path-exclusions.js.map +1 -0
- package/dist/pipeline/config.d.ts +39 -0
- package/dist/pipeline/config.d.ts.map +1 -0
- package/dist/pipeline/config.js +46 -0
- package/dist/pipeline/config.js.map +1 -0
- package/dist/pipeline/index.d.ts +34 -0
- package/dist/pipeline/index.d.ts.map +1 -0
- package/dist/pipeline/index.js +377 -0
- package/dist/pipeline/index.js.map +1 -0
- package/dist/pipeline/modes/incremental.d.ts +66 -0
- package/dist/pipeline/modes/incremental.d.ts.map +1 -0
- package/dist/pipeline/modes/incremental.js +200 -0
- package/dist/pipeline/modes/incremental.js.map +1 -0
- package/dist/postprocess/aggregation.d.ts +14 -0
- package/dist/postprocess/aggregation.d.ts.map +1 -0
- package/dist/postprocess/aggregation.js +63 -0
- package/dist/postprocess/aggregation.js.map +1 -0
- package/dist/postprocess/contradictions.d.ts +18 -0
- package/dist/postprocess/contradictions.d.ts.map +1 -0
- package/dist/postprocess/contradictions.js +99 -0
- package/dist/postprocess/contradictions.js.map +1 -0
- package/dist/postprocess/dedup.d.ts +13 -0
- package/dist/postprocess/dedup.d.ts.map +1 -0
- package/dist/postprocess/dedup.js +58 -0
- package/dist/postprocess/dedup.js.map +1 -0
- package/dist/postprocess/filtering/context-adjustments.d.ts +23 -0
- package/dist/postprocess/filtering/context-adjustments.d.ts.map +1 -0
- package/dist/postprocess/filtering/context-adjustments.js +100 -0
- package/dist/postprocess/filtering/context-adjustments.js.map +1 -0
- package/dist/postprocess/filtering/index.d.ts +3 -0
- package/dist/postprocess/filtering/index.d.ts.map +1 -0
- package/dist/postprocess/filtering/index.js +8 -0
- package/dist/postprocess/filtering/index.js.map +1 -0
- package/dist/postprocess/filtering/pipeline.d.ts +48 -0
- package/dist/postprocess/filtering/pipeline.d.ts.map +1 -0
- package/dist/postprocess/filtering/pipeline.js +76 -0
- package/dist/postprocess/filtering/pipeline.js.map +1 -0
- package/dist/postprocess/index.d.ts +41 -0
- package/dist/postprocess/index.d.ts.map +1 -0
- package/dist/postprocess/index.js +85 -0
- package/dist/postprocess/index.js.map +1 -0
- package/dist/postprocess/suppression/config-loader.d.ts +74 -0
- package/dist/postprocess/suppression/config-loader.d.ts.map +1 -0
- package/dist/postprocess/suppression/config-loader.js +424 -0
- package/dist/postprocess/suppression/config-loader.js.map +1 -0
- package/dist/postprocess/suppression/hash.d.ts +48 -0
- package/dist/postprocess/suppression/hash.d.ts.map +1 -0
- package/dist/postprocess/suppression/hash.js +88 -0
- package/dist/postprocess/suppression/hash.js.map +1 -0
- package/dist/postprocess/suppression/index.d.ts +11 -0
- package/dist/postprocess/suppression/index.d.ts.map +1 -0
- package/dist/postprocess/suppression/index.js +39 -0
- package/dist/postprocess/suppression/index.js.map +1 -0
- package/dist/postprocess/suppression/inline-parser.d.ts +39 -0
- package/dist/postprocess/suppression/inline-parser.d.ts.map +1 -0
- package/dist/postprocess/suppression/inline-parser.js +218 -0
- package/dist/postprocess/suppression/inline-parser.js.map +1 -0
- package/dist/postprocess/suppression/manager.d.ts +94 -0
- package/dist/postprocess/suppression/manager.d.ts.map +1 -0
- package/dist/postprocess/suppression/manager.js +292 -0
- package/dist/postprocess/suppression/manager.js.map +1 -0
- package/dist/postprocess/suppression/types.d.ts +151 -0
- package/dist/postprocess/suppression/types.d.ts.map +1 -0
- package/dist/postprocess/suppression/types.js +28 -0
- package/dist/postprocess/suppression/types.js.map +1 -0
- package/dist/postprocess/validation-cap.d.ts +17 -0
- package/dist/postprocess/validation-cap.d.ts.map +1 -0
- package/dist/postprocess/validation-cap.js +64 -0
- package/dist/postprocess/validation-cap.js.map +1 -0
- package/dist/report/build-result.d.ts +33 -0
- package/dist/report/build-result.d.ts.map +1 -0
- package/dist/report/build-result.js +59 -0
- package/dist/report/build-result.js.map +1 -0
- package/dist/report/enrichment.d.ts +19 -0
- package/dist/report/enrichment.d.ts.map +1 -0
- package/dist/report/enrichment.js +44 -0
- package/dist/report/enrichment.js.map +1 -0
- package/dist/report/formatters/ai-context.d.ts +23 -0
- package/dist/report/formatters/ai-context.d.ts.map +1 -0
- package/dist/report/formatters/ai-context.js +238 -0
- package/dist/report/formatters/ai-context.js.map +1 -0
- package/dist/report/formatters/cli-terminal.d.ts +65 -0
- package/dist/report/formatters/cli-terminal.d.ts.map +1 -0
- package/dist/report/formatters/cli-terminal.js +735 -0
- package/dist/report/formatters/cli-terminal.js.map +1 -0
- package/dist/report/formatters/github-comment.d.ts +41 -0
- package/dist/report/formatters/github-comment.d.ts.map +1 -0
- package/dist/report/formatters/github-comment.js +370 -0
- package/dist/report/formatters/github-comment.js.map +1 -0
- package/dist/report/formatters/grouping.d.ts +52 -0
- package/dist/report/formatters/grouping.d.ts.map +1 -0
- package/dist/report/formatters/grouping.js +152 -0
- package/dist/report/formatters/grouping.js.map +1 -0
- package/dist/report/formatters/ide/claude-code.d.ts +17 -0
- package/dist/report/formatters/ide/claude-code.d.ts.map +1 -0
- package/dist/report/formatters/ide/claude-code.js +94 -0
- package/dist/report/formatters/ide/claude-code.js.map +1 -0
- package/dist/report/formatters/ide/cursor.d.ts +13 -0
- package/dist/report/formatters/ide/cursor.d.ts.map +1 -0
- package/dist/report/formatters/ide/cursor.js +125 -0
- package/dist/report/formatters/ide/cursor.js.map +1 -0
- package/dist/report/formatters/ide/index.d.ts +62 -0
- package/dist/report/formatters/ide/index.d.ts.map +1 -0
- package/dist/report/formatters/ide/index.js +184 -0
- package/dist/report/formatters/ide/index.js.map +1 -0
- package/dist/report/formatters/ide/windsurf.d.ts +13 -0
- package/dist/report/formatters/ide/windsurf.d.ts.map +1 -0
- package/dist/report/formatters/ide/windsurf.js +117 -0
- package/dist/report/formatters/ide/windsurf.js.map +1 -0
- package/dist/report/formatters/index.d.ts +11 -0
- package/dist/report/formatters/index.d.ts.map +1 -0
- package/dist/report/formatters/index.js +54 -0
- package/dist/report/formatters/index.js.map +1 -0
- package/dist/report/formatters/vscode-diagnostic.d.ts +103 -0
- package/dist/report/formatters/vscode-diagnostic.d.ts.map +1 -0
- package/dist/report/formatters/vscode-diagnostic.js +151 -0
- package/dist/report/formatters/vscode-diagnostic.js.map +1 -0
- package/dist/report/summary.d.ts +27 -0
- package/dist/report/summary.d.ts.map +1 -0
- package/dist/report/summary.js +57 -0
- package/dist/report/summary.js.map +1 -0
- package/dist/rules/metadata.d.ts.map +1 -1
- package/dist/rules/metadata.js +66 -0
- package/dist/rules/metadata.js.map +1 -1
- package/dist/score/adjustments.d.ts +22 -0
- package/dist/score/adjustments.d.ts.map +1 -0
- package/dist/score/adjustments.js +373 -0
- package/dist/score/adjustments.js.map +1 -0
- package/dist/score/auto-dismiss.d.ts +28 -0
- package/dist/score/auto-dismiss.d.ts.map +1 -0
- package/dist/score/auto-dismiss.js +200 -0
- package/dist/score/auto-dismiss.js.map +1 -0
- package/dist/score/confidence.d.ts +19 -0
- package/dist/score/confidence.d.ts.map +1 -0
- package/dist/score/confidence.js +52 -0
- package/dist/score/confidence.js.map +1 -0
- package/dist/score/index.d.ts +61 -0
- package/dist/score/index.d.ts.map +1 -0
- package/dist/score/index.js +250 -0
- package/dist/score/index.js.map +1 -0
- package/dist/score/types.d.ts +160 -0
- package/dist/score/types.d.ts.map +1 -0
- package/dist/score/types.js +14 -0
- package/dist/score/types.js.map +1 -0
- package/dist/shared/ai-context/index.d.ts +6 -0
- package/dist/shared/ai-context/index.d.ts.map +1 -0
- package/dist/shared/ai-context/index.js +13 -0
- package/dist/shared/ai-context/index.js.map +1 -0
- package/dist/shared/ai-context/manager.d.ts +67 -0
- package/dist/shared/ai-context/manager.d.ts.map +1 -0
- package/dist/shared/ai-context/manager.js +104 -0
- package/dist/shared/ai-context/manager.js.map +1 -0
- package/dist/shared/baseline/diff.d.ts +32 -0
- package/dist/shared/baseline/diff.d.ts.map +1 -0
- package/dist/shared/baseline/diff.js +119 -0
- package/dist/shared/baseline/diff.js.map +1 -0
- package/dist/shared/baseline/index.d.ts +9 -0
- package/dist/shared/baseline/index.d.ts.map +1 -0
- package/dist/shared/baseline/index.js +19 -0
- package/dist/shared/baseline/index.js.map +1 -0
- package/dist/shared/baseline/manager.d.ts +67 -0
- package/dist/shared/baseline/manager.d.ts.map +1 -0
- package/dist/shared/baseline/manager.js +180 -0
- package/dist/shared/baseline/manager.js.map +1 -0
- package/dist/shared/baseline/types.d.ts +91 -0
- package/dist/shared/baseline/types.d.ts.map +1 -0
- package/dist/shared/baseline/types.js +12 -0
- package/dist/shared/baseline/types.js.map +1 -0
- package/dist/shared/category-filter.d.ts +125 -0
- package/dist/shared/category-filter.d.ts.map +1 -0
- package/dist/shared/category-filter.js +360 -0
- package/dist/shared/category-filter.js.map +1 -0
- package/dist/shared/code-analysis.d.ts +39 -0
- package/dist/shared/code-analysis.d.ts.map +1 -0
- package/dist/shared/code-analysis.js +159 -0
- package/dist/shared/code-analysis.js.map +1 -0
- package/dist/shared/comment-analyzer.d.ts +38 -0
- package/dist/shared/comment-analyzer.d.ts.map +1 -0
- package/dist/shared/comment-analyzer.js +218 -0
- package/dist/shared/comment-analyzer.js.map +1 -0
- package/dist/shared/diff-detector.d.ts +53 -0
- package/dist/shared/diff-detector.d.ts.map +1 -0
- package/dist/shared/diff-detector.js +104 -0
- package/dist/shared/diff-detector.js.map +1 -0
- package/dist/shared/diff-parser.d.ts +80 -0
- package/dist/shared/diff-parser.d.ts.map +1 -0
- package/dist/shared/diff-parser.js +202 -0
- package/dist/shared/diff-parser.js.map +1 -0
- package/dist/shared/environment-context.d.ts +76 -0
- package/dist/shared/environment-context.d.ts.map +1 -0
- package/dist/shared/environment-context.js +271 -0
- package/dist/shared/environment-context.js.map +1 -0
- package/dist/shared/intent-detector.d.ts +66 -0
- package/dist/shared/intent-detector.d.ts.map +1 -0
- package/dist/shared/intent-detector.js +282 -0
- package/dist/shared/intent-detector.js.map +1 -0
- package/dist/shared/parsed-file.d.ts +51 -0
- package/dist/shared/parsed-file.d.ts.map +1 -0
- package/dist/shared/parsed-file.js +95 -0
- package/dist/shared/parsed-file.js.map +1 -0
- package/dist/shared/registry-clients.d.ts +93 -0
- package/dist/shared/registry-clients.d.ts.map +1 -0
- package/dist/shared/registry-clients.js +273 -0
- package/dist/shared/registry-clients.js.map +1 -0
- package/dist/shared/rules/framework-fixes.d.ts +48 -0
- package/dist/shared/rules/framework-fixes.d.ts.map +1 -0
- package/dist/shared/rules/framework-fixes.js +439 -0
- package/dist/shared/rules/framework-fixes.js.map +1 -0
- package/dist/shared/rules/index.d.ts +8 -0
- package/dist/shared/rules/index.d.ts.map +1 -0
- package/dist/shared/rules/index.js +18 -0
- package/dist/shared/rules/index.js.map +1 -0
- package/dist/shared/rules/metadata.d.ts +43 -0
- package/dist/shared/rules/metadata.d.ts.map +1 -0
- package/dist/shared/rules/metadata.js +819 -0
- package/dist/shared/rules/metadata.js.map +1 -0
- package/dist/shared/schema-semantics.d.ts +45 -0
- package/dist/shared/schema-semantics.d.ts.map +1 -0
- package/dist/shared/schema-semantics.js +193 -0
- package/dist/shared/schema-semantics.js.map +1 -0
- package/dist/shared/types.d.ts +337 -0
- package/dist/shared/types.d.ts.map +1 -0
- package/dist/shared/types.js +126 -0
- package/dist/shared/types.js.map +1 -0
- package/dist/tiers.d.ts +4 -4
- package/dist/tiers.d.ts.map +1 -1
- package/dist/tiers.js +17 -7
- package/dist/tiers.js.map +1 -1
- package/dist/types.d.ts +79 -9
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js +34 -0
- package/dist/types.js.map +1 -1
- package/dist/utils/code-analysis.d.ts +39 -0
- package/dist/utils/code-analysis.d.ts.map +1 -0
- package/dist/utils/code-analysis.js +159 -0
- package/dist/utils/code-analysis.js.map +1 -0
- package/dist/utils/comment-analyzer.d.ts +38 -0
- package/dist/utils/comment-analyzer.d.ts.map +1 -0
- package/dist/utils/comment-analyzer.js +218 -0
- package/dist/utils/comment-analyzer.js.map +1 -0
- package/dist/utils/context-helpers.d.ts +108 -1
- package/dist/utils/context-helpers.d.ts.map +1 -1
- package/dist/utils/context-helpers.js +351 -2
- package/dist/utils/context-helpers.js.map +1 -1
- package/dist/utils/environment-context.d.ts +76 -0
- package/dist/utils/environment-context.d.ts.map +1 -0
- package/dist/utils/environment-context.js +271 -0
- package/dist/utils/environment-context.js.map +1 -0
- package/dist/utils/intent-detector.d.ts +66 -0
- package/dist/utils/intent-detector.d.ts.map +1 -0
- package/dist/utils/intent-detector.js +282 -0
- package/dist/utils/intent-detector.js.map +1 -0
- package/dist/utils/parsed-file.d.ts +51 -0
- package/dist/utils/parsed-file.d.ts.map +1 -0
- package/dist/utils/parsed-file.js +95 -0
- package/dist/utils/parsed-file.js.map +1 -0
- package/dist/utils/route-hierarchy.d.ts +50 -0
- package/dist/utils/route-hierarchy.d.ts.map +1 -0
- package/dist/utils/route-hierarchy.js +226 -0
- package/dist/utils/route-hierarchy.js.map +1 -0
- package/dist/utils/schema-semantics.d.ts +45 -0
- package/dist/utils/schema-semantics.d.ts.map +1 -0
- package/dist/utils/schema-semantics.js +193 -0
- package/dist/utils/schema-semantics.js.map +1 -0
- package/dist/validate/clients.d.ts +44 -0
- package/dist/validate/clients.d.ts.map +1 -0
- package/dist/validate/clients.js +81 -0
- package/dist/validate/clients.js.map +1 -0
- package/dist/validate/index.d.ts +41 -0
- package/dist/validate/index.d.ts.map +1 -0
- package/dist/validate/index.js +141 -0
- package/dist/validate/index.js.map +1 -0
- package/dist/validate/prompts/index.d.ts +8 -0
- package/dist/validate/prompts/index.d.ts.map +1 -0
- package/dist/validate/prompts/index.js +16 -0
- package/dist/validate/prompts/index.js.map +1 -0
- package/dist/validate/prompts/modules/ai-patterns.d.ts +19 -0
- package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -0
- package/dist/validate/prompts/modules/ai-patterns.js +156 -0
- package/dist/validate/prompts/modules/ai-patterns.js.map +1 -0
- package/dist/validate/prompts/modules/auth-access.d.ts +9 -0
- package/dist/validate/prompts/modules/auth-access.d.ts.map +1 -0
- package/dist/validate/prompts/modules/auth-access.js +25 -0
- package/dist/validate/prompts/modules/auth-access.js.map +1 -0
- package/dist/validate/prompts/modules/common.d.ts +11 -0
- package/dist/validate/prompts/modules/common.d.ts.map +1 -0
- package/dist/validate/prompts/modules/common.js +186 -0
- package/dist/validate/prompts/modules/common.js.map +1 -0
- package/dist/validate/prompts/modules/index.d.ts +54 -0
- package/dist/validate/prompts/modules/index.d.ts.map +1 -0
- package/dist/validate/prompts/modules/index.js +186 -0
- package/dist/validate/prompts/modules/index.js.map +1 -0
- package/dist/validate/prompts/modules/owasp-classic.d.ts +8 -0
- package/dist/validate/prompts/modules/owasp-classic.d.ts.map +1 -0
- package/dist/validate/prompts/modules/owasp-classic.js +84 -0
- package/dist/validate/prompts/modules/owasp-classic.js.map +1 -0
- package/dist/validate/prompts/modules/secrets-crypto.d.ts +8 -0
- package/dist/validate/prompts/modules/secrets-crypto.d.ts.map +1 -0
- package/dist/validate/prompts/modules/secrets-crypto.js +68 -0
- package/dist/validate/prompts/modules/secrets-crypto.js.map +1 -0
- package/dist/validate/prompts/modules/xss-prompt.d.ts +8 -0
- package/dist/validate/prompts/modules/xss-prompt.d.ts.map +1 -0
- package/dist/validate/prompts/modules/xss-prompt.js +22 -0
- package/dist/validate/prompts/modules/xss-prompt.js.map +1 -0
- package/dist/validate/prompts/semantic-analysis.d.ts +15 -0
- package/dist/validate/prompts/semantic-analysis.d.ts.map +1 -0
- package/dist/validate/prompts/semantic-analysis.js +169 -0
- package/dist/validate/prompts/semantic-analysis.js.map +1 -0
- package/dist/validate/prompts/validation.d.ts +18 -0
- package/dist/validate/prompts/validation.d.ts.map +1 -0
- package/dist/validate/prompts/validation.js +25 -0
- package/dist/validate/prompts/validation.js.map +1 -0
- package/dist/validate/providers/anthropic.d.ts +17 -0
- package/dist/validate/providers/anthropic.d.ts.map +1 -0
- package/dist/validate/providers/anthropic.js +260 -0
- package/dist/validate/providers/anthropic.js.map +1 -0
- package/dist/validate/providers/index.d.ts +8 -0
- package/dist/validate/providers/index.d.ts.map +1 -0
- package/dist/validate/providers/index.js +13 -0
- package/dist/validate/providers/index.js.map +1 -0
- package/dist/validate/providers/openai.d.ts +14 -0
- package/dist/validate/providers/openai.d.ts.map +1 -0
- package/dist/validate/providers/openai.js +336 -0
- package/dist/validate/providers/openai.js.map +1 -0
- package/dist/validate/request-builder.d.ts +61 -0
- package/dist/validate/request-builder.d.ts.map +1 -0
- package/dist/validate/request-builder.js +346 -0
- package/dist/validate/request-builder.js.map +1 -0
- package/dist/validate/types.d.ts +88 -0
- package/dist/validate/types.d.ts.map +1 -0
- package/dist/validate/types.js +38 -0
- package/dist/validate/types.js.map +1 -0
- package/dist/validate/utils/context-extractor.d.ts +55 -0
- package/dist/validate/utils/context-extractor.d.ts.map +1 -0
- package/dist/validate/utils/context-extractor.js +161 -0
- package/dist/validate/utils/context-extractor.js.map +1 -0
- package/dist/validate/utils/index.d.ts +11 -0
- package/dist/validate/utils/index.d.ts.map +1 -0
- package/dist/validate/utils/index.js +27 -0
- package/dist/validate/utils/index.js.map +1 -0
- package/dist/validate/utils/path-helpers.d.ts +21 -0
- package/dist/validate/utils/path-helpers.d.ts.map +1 -0
- package/dist/validate/utils/path-helpers.js +69 -0
- package/dist/validate/utils/path-helpers.js.map +1 -0
- package/dist/validate/utils/response-parser.d.ts +40 -0
- package/dist/validate/utils/response-parser.d.ts.map +1 -0
- package/dist/validate/utils/response-parser.js +286 -0
- package/dist/validate/utils/response-parser.js.map +1 -0
- package/dist/validate/utils/retry.d.ts +15 -0
- package/dist/validate/utils/retry.d.ts.map +1 -0
- package/dist/validate/utils/retry.js +62 -0
- package/dist/validate/utils/retry.js.map +1 -0
- package/package.json +8 -7
- package/src/__tests__/benchmark/fixtures/layer1/agent-skill-injection.ts +204 -0
- package/src/__tests__/benchmark/fixtures/layer1/index.ts +3 -0
- package/src/__tests__/benchmark/fixtures/layer2/index.ts +27 -0
- package/src/__tests__/benchmark/fixtures/layer2/log-injection.ts +147 -0
- package/src/__tests__/benchmark/fixtures/layer2/phase5-excessive-agency.ts +580 -0
- package/src/__tests__/benchmark/fixtures/layer2/security-headers.ts +197 -0
- package/src/__tests__/benchmark/fixtures/layer2/sprint6-ai-enhancements.ts +515 -0
- package/src/__tests__/benchmark/fixtures/layer2/ssrf-detection.ts +210 -0
- package/src/__tests__/benchmark/fixtures/layer2/xxe-detection.ts +195 -0
- package/src/__tests__/benchmark/run-depth-validation.ts +12 -12
- package/src/__tests__/benchmark/run-real-world-test.ts +4 -4
- package/src/__tests__/benchmark/types.ts +1 -1
- package/src/__tests__/benchmark/utils/test-runner.ts +3 -3
- package/src/__tests__/category-filter.test.ts +478 -0
- package/src/__tests__/context-engine/cross-file-taint.test.ts +284 -0
- package/src/__tests__/context-engine/framework-models.test.ts +457 -0
- package/src/__tests__/context-engine/function-classifier.test.ts +146 -0
- package/src/__tests__/context-engine/import-resolver.test.ts +328 -0
- package/src/__tests__/context-engine/integration.test.ts +320 -0
- package/src/__tests__/context-engine/module-graph.test.ts +159 -0
- package/src/__tests__/context-engine/route-discovery/auth-resolver.test.ts +353 -0
- package/src/__tests__/context-engine/route-discovery/express.test.ts +150 -0
- package/src/__tests__/context-engine/route-discovery/nextjs.test.ts +138 -0
- package/src/__tests__/context-engine/route-discovery/python.test.ts +95 -0
- package/src/__tests__/context-engine/sanitiser-detection.test.ts +187 -0
- package/src/__tests__/context-engine/sink-matcher.test.ts +251 -0
- package/src/__tests__/context-engine/source-discovery.test.ts +186 -0
- package/src/__tests__/context-engine/taint-tracker.test.ts +182 -0
- package/src/__tests__/regression/agent-skill-benign.test.ts +174 -0
- package/src/__tests__/regression/known-false-positives.test.ts +801 -3
- package/src/__tests__/score/adjustments.test.ts +385 -0
- package/src/__tests__/score/confidence.test.ts +283 -0
- package/src/__tests__/score/framework-scoring.test.ts +275 -0
- package/src/__tests__/score/route-scoring.test.ts +156 -0
- package/src/__tests__/score/scoring-integration.test.ts +165 -0
- package/src/__tests__/score/taint-adjustments.test.ts +244 -0
- package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +50 -58
- package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +52 -0
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +3 -12
- package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +3 -3
- package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +1 -1
- package/src/__tests__/snapshots/scan-depth.test.ts +3 -3
- package/src/__tests__/validate/route-annotations.test.ts +138 -0
- package/src/__tests__/validation/analyze-results.ts +1 -1
- package/src/__tests__/validation/extract-for-triage.ts +1 -1
- package/src/__tests__/validation/fp-deep-analysis.ts +1 -1
- package/src/__tests__/validation/run-validation.ts +7 -7
- package/src/{layer2/ai-agent-tools.ts → detect/ai-code/agent-tools.ts} +729 -4
- package/src/{layer2 → detect/ai-code}/byok-patterns.ts +20 -6
- package/src/{layer2/ai-endpoint-protection.ts → detect/ai-code/endpoint-protection.ts} +10 -4
- package/src/{layer2/ai-execution-sinks.ts → detect/ai-code/execution-sinks.ts} +272 -46
- package/src/{layer2/ai-fingerprinting.ts → detect/ai-code/fingerprinting.ts} +46 -34
- package/src/detect/ai-code/index.ts +11 -0
- package/src/{layer2/ai-mcp-security.ts → detect/ai-code/mcp-security.ts} +212 -5
- package/src/{layer2 → detect/ai-code}/model-supply-chain.ts +85 -6
- package/src/{layer2/ai-package-hallucination.ts → detect/ai-code/package-hallucination.ts} +170 -6
- package/src/{layer2/ai-prompt-hygiene.ts → detect/ai-code/prompt-hygiene.ts} +393 -28
- package/src/{layer2/ai-rag-safety.ts → detect/ai-code/rag-safety.ts} +91 -4
- package/src/{layer2/ai-schema-validation.ts → detect/ai-code/schema-validation.ts} +10 -4
- package/src/detect/config/agent-skill-injection.ts +551 -0
- package/src/{layer1 → detect/config}/comments.ts +8 -2
- package/src/{layer1 → detect/config}/file-flags.ts +23 -6
- package/src/detect/config/index.ts +6 -0
- package/src/{layer3 → detect/config}/osv-check.ts +3 -2
- package/src/{layer3 → detect/config}/package-check.ts +3 -2
- package/src/{layer1 → detect/config}/urls.ts +196 -15
- package/src/detect/index.ts +131 -0
- package/src/{layer1 → detect/secrets}/config-audit.ts +56 -12
- package/src/{layer1 → detect/secrets}/config-mcp-audit.ts +11 -4
- package/src/{layer1 → detect/secrets}/entropy.ts +256 -11
- package/src/{layer1 → detect/secrets}/index.ts +43 -46
- package/src/{layer1 → detect/secrets}/patterns.ts +51 -6
- package/src/{layer1 → detect/secrets}/weak-crypto.ts +174 -17
- package/src/{layer2/auth-antipatterns.ts → detect/structural/auth-patterns.ts} +249 -27
- package/src/{layer2 → detect/structural}/dangerous-functions/dom-xss.ts +94 -22
- package/src/{layer2 → detect/structural}/dangerous-functions/index.ts +672 -65
- package/src/{layer2 → detect/structural}/dangerous-functions/json-parse.ts +10 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/math-random.ts +269 -17
- package/src/{layer2 → detect/structural}/dangerous-functions/patterns.ts +4 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/request-validation.ts +10 -2
- package/src/detect/structural/dangerous-functions/utils/control-flow.ts +35 -0
- package/src/{layer2 → detect/structural}/dangerous-functions/utils/schema-validation.ts +16 -1
- package/src/{layer2 → detect/structural}/data-exposure.ts +23 -40
- package/src/{layer2 → detect/structural}/framework-checks.ts +13 -12
- package/src/{layer2 → detect/structural}/index.ts +144 -122
- package/src/detect/structural/log-injection.ts +254 -0
- package/src/{layer2 → detect/structural}/logic-gates.ts +69 -24
- package/src/{layer2 → detect/structural}/risky-imports.ts +10 -4
- package/src/detect/structural/security-headers.ts +231 -0
- package/src/detect/structural/ssrf-detection.ts +300 -0
- package/src/{layer2 → detect/structural}/variables.ts +10 -4
- package/src/detect/structural/xxe-detection.ts +295 -0
- package/src/index.ts +64 -1038
- package/src/{utils → model}/auth-helper-detector.ts +1 -1
- package/src/model/cross-file-taint.ts +374 -0
- package/src/model/framework-models/django.ts +82 -0
- package/src/model/framework-models/express.ts +54 -0
- package/src/model/framework-models/index.ts +116 -0
- package/src/model/framework-models/nextjs.ts +69 -0
- package/src/model/framework-models/prisma.ts +57 -0
- package/src/model/framework-models/react.ts +63 -0
- package/src/model/framework-models/sequelize.ts +63 -0
- package/src/model/framework-models/types.ts +46 -0
- package/src/model/function-classifier.ts +184 -0
- package/src/model/import-resolver.ts +453 -0
- package/src/{utils → model}/imported-auth-detector.ts +21 -85
- package/src/model/index.ts +353 -0
- package/src/{utils → model}/middleware-detector.ts +156 -17
- package/src/model/module-graph.ts +254 -0
- package/src/{utils → model}/oauth-flow-detector.ts +1 -1
- package/src/{utils/project-context-builder.ts → model/project-context.ts} +1 -1
- package/src/model/route-auth-resolver.ts +216 -0
- package/src/model/route-discovery/express.ts +251 -0
- package/src/model/route-discovery/index.ts +83 -0
- package/src/model/route-discovery/nextjs.ts +216 -0
- package/src/model/route-discovery/python.ts +214 -0
- package/src/model/route-discovery/types.ts +48 -0
- package/src/model/route-discovery/utils.ts +54 -0
- package/src/model/route-hierarchy.ts +250 -0
- package/src/model/sanitiser-detection.ts +268 -0
- package/src/model/sink-matcher.ts +178 -0
- package/src/model/sink-patterns.ts +109 -0
- package/src/model/source-discovery.ts +209 -0
- package/src/model/taint-tracker.ts +333 -0
- package/src/model/taint-types.ts +149 -0
- package/src/{utils → model}/trpc-analyzer.ts +1 -1
- package/src/{utils/context-helpers.ts → parse/file-classifier.ts} +462 -2
- package/src/{utils → parse}/path-exclusions.ts +1 -1
- package/src/pipeline/config.ts +81 -0
- package/src/pipeline/index.ts +437 -0
- package/src/{modes → pipeline/modes}/incremental.ts +6 -6
- package/src/postprocess/aggregation.ts +74 -0
- package/src/postprocess/contradictions.ts +128 -0
- package/src/postprocess/dedup.ts +62 -0
- package/src/postprocess/filtering/__tests__/pipeline.test.ts +134 -0
- package/src/postprocess/filtering/context-adjustments.ts +111 -0
- package/src/postprocess/filtering/index.ts +10 -0
- package/src/postprocess/filtering/pipeline.ts +130 -0
- package/src/postprocess/index.ts +118 -0
- package/src/{suppression → postprocess/suppression}/config-loader.ts +1 -1
- package/src/{suppression → postprocess/suppression}/hash.ts +1 -1
- package/src/{suppression → postprocess/suppression}/inline-parser.ts +1 -1
- package/src/{suppression → postprocess/suppression}/manager.ts +1 -1
- package/src/{suppression → postprocess/suppression}/types.ts +2 -2
- package/src/postprocess/validation-cap.ts +66 -0
- package/src/report/build-result.ts +94 -0
- package/src/report/enrichment.ts +52 -0
- package/src/report/formatters/__tests__/ai-context.test.ts +254 -0
- package/src/report/formatters/ai-context.ts +302 -0
- package/src/{formatters → report/formatters}/cli-terminal.ts +11 -11
- package/src/{formatters → report/formatters}/github-comment.ts +4 -4
- package/src/{formatters → report/formatters}/grouping.ts +8 -8
- package/src/report/formatters/ide/__tests__/ide.test.ts +319 -0
- package/src/report/formatters/ide/claude-code.ts +110 -0
- package/src/report/formatters/ide/cursor.ts +147 -0
- package/src/report/formatters/ide/index.ts +216 -0
- package/src/report/formatters/ide/windsurf.ts +135 -0
- package/src/{formatters → report/formatters}/index.ts +24 -0
- package/src/{formatters → report/formatters}/vscode-diagnostic.ts +1 -1
- package/src/report/summary.ts +70 -0
- package/src/score/adjustments.ts +387 -0
- package/src/{layer3/anthropic → score}/auto-dismiss.ts +26 -14
- package/src/score/confidence.ts +66 -0
- package/src/score/index.ts +316 -0
- package/src/score/types.ts +187 -0
- package/src/shared/__tests__/code-analysis.test.ts +165 -0
- package/src/shared/__tests__/parsed-file.test.ts +124 -0
- package/src/shared/ai-context/__tests__/manager.test.ts +193 -0
- package/src/shared/ai-context/index.ts +15 -0
- package/src/shared/ai-context/manager.ts +145 -0
- package/src/{baseline → shared/baseline}/__tests__/diff.test.ts +2 -2
- package/src/{baseline → shared/baseline}/__tests__/manager.test.ts +2 -2
- package/src/{baseline → shared/baseline}/diff.ts +1 -1
- package/src/{baseline → shared/baseline}/manager.ts +1 -1
- package/src/shared/category-filter.ts +400 -0
- package/src/{layer2/dangerous-functions/utils/control-flow.ts → shared/code-analysis.ts} +56 -39
- package/src/shared/comment-analyzer.ts +249 -0
- package/src/shared/environment-context.ts +304 -0
- package/src/shared/intent-detector.ts +318 -0
- package/src/shared/parsed-file.ts +103 -0
- package/src/{rules → shared/rules}/__tests__/metadata.test.ts +7 -0
- package/src/{rules → shared/rules}/framework-fixes.ts +1 -1
- package/src/{rules → shared/rules}/metadata.ts +94 -0
- package/src/shared/schema-semantics.ts +233 -0
- package/src/{types.ts → shared/types.ts} +142 -11
- package/src/tiers.ts +27 -10
- package/src/validate/__tests__/context-extractor.test.ts +191 -0
- package/src/validate/__tests__/prompt-assembly.test.ts +233 -0
- package/src/validate/__tests__/request-builder.test.ts +347 -0
- package/src/{layer3/anthropic → validate}/index.ts +8 -7
- package/src/{layer3/anthropic → validate}/prompts/index.ts +2 -0
- package/src/validate/prompts/modules/ai-patterns.ts +153 -0
- package/src/validate/prompts/modules/auth-access.ts +22 -0
- package/src/validate/prompts/modules/common.ts +183 -0
- package/src/validate/prompts/modules/index.ts +204 -0
- package/src/validate/prompts/modules/owasp-classic.ts +81 -0
- package/src/validate/prompts/modules/secrets-crypto.ts +65 -0
- package/src/validate/prompts/modules/xss-prompt.ts +19 -0
- package/src/validate/prompts/validation.ts +20 -0
- package/src/{layer3/anthropic → validate}/providers/anthropic.ts +28 -27
- package/src/validate/providers/index.ts +8 -0
- package/src/{layer3/anthropic → validate}/providers/openai.ts +30 -25
- package/src/validate/request-builder.ts +448 -0
- package/src/{layer3/anthropic → validate}/types.ts +1 -1
- package/src/validate/utils/context-extractor.ts +220 -0
- package/src/{layer3/anthropic → validate}/utils/index.ts +10 -0
- package/src/{layer3/anthropic → validate}/utils/response-parser.ts +2 -1
- package/src/layer3/anthropic/prompts/validation.ts +0 -419
- package/src/layer3/anthropic/providers/index.ts +0 -8
- package/src/layer3/anthropic/request-builder.ts +0 -150
- package/src/layer3/index.ts +0 -168
- /package/src/{layer3 → detect/config}/__tests__/osv-check.test.ts +0 -0
- /package/src/{layer2 → detect/structural}/__tests__/math-random-enhanced.test.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/child-process.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/helpers.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/index.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/config-loader.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/hash.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/inline-parser.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/manager.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/index.ts +0 -0
- /package/src/{baseline → shared/baseline}/index.ts +0 -0
- /package/src/{baseline → shared/baseline}/types.ts +0 -0
- /package/src/{utils → shared}/diff-detector.ts +0 -0
- /package/src/{utils → shared}/diff-parser.ts +0 -0
- /package/src/{utils → shared}/registry-clients.ts +0 -0
- /package/src/{rules → shared/rules}/__tests__/framework-fixes.test.ts +0 -0
- /package/src/{rules → shared/rules}/index.ts +0 -0
- /package/src/{layer3/anthropic → validate}/clients.ts +0 -0
- /package/src/{layer3/anthropic → validate}/prompts/semantic-analysis.ts +0 -0
- /package/src/{layer3/anthropic → validate}/utils/path-helpers.ts +0 -0
- /package/src/{layer3/anthropic → validate}/utils/retry.ts +0 -0
|
@@ -8,9 +8,9 @@
|
|
|
8
8
|
* Run: npx jest src/__tests__/regression/known-false-positives.test.ts
|
|
9
9
|
*/
|
|
10
10
|
|
|
11
|
-
import { runLayer1Scan } from '../../
|
|
12
|
-
import { runLayer2Scan } from '../../
|
|
13
|
-
import type { ScanFile, Vulnerability, Severity } from '../../types'
|
|
11
|
+
import { runLayer1Scan } from '../../detect/secrets'
|
|
12
|
+
import { runLayer2Scan } from '../../detect/structural'
|
|
13
|
+
import type { ScanFile, Vulnerability, Severity } from '../../shared/types'
|
|
14
14
|
|
|
15
15
|
// Helper to run both layers and get all findings
|
|
16
16
|
async function scanFile(file: ScanFile): Promise<Vulnerability[]> {
|
|
@@ -464,4 +464,802 @@ describe('API tests', () => {
|
|
|
464
464
|
}
|
|
465
465
|
})
|
|
466
466
|
})
|
|
467
|
+
|
|
468
|
+
describe('8. Sprint 4 FP Fixes', () => {
|
|
469
|
+
it('should skip Math.random in template placeholders', async () => {
|
|
470
|
+
// Template placeholder generators use Math.random for non-security purposes
|
|
471
|
+
const file: ScanFile = {
|
|
472
|
+
path: 'src/utils/templates.ts',
|
|
473
|
+
content: `
|
|
474
|
+
const templates = {
|
|
475
|
+
random: () => Math.random().toString(),
|
|
476
|
+
random_hex: () => Math.random().toString(16).slice(2),
|
|
477
|
+
timestamp: () => Date.now().toString(),
|
|
478
|
+
}
|
|
479
|
+
|
|
480
|
+
export function generatePlaceholder(type: string) {
|
|
481
|
+
const generator = templates[type]
|
|
482
|
+
return generator ? generator() : '{{' + type + '}}'
|
|
483
|
+
}
|
|
484
|
+
`,
|
|
485
|
+
language: 'typescript',
|
|
486
|
+
size: 300,
|
|
487
|
+
}
|
|
488
|
+
|
|
489
|
+
const findings = await scanFile(file)
|
|
490
|
+
const mathRandomFindings = findByCategory(findings, 'dangerous_function').filter(f =>
|
|
491
|
+
f.title?.toLowerCase().includes('math.random')
|
|
492
|
+
)
|
|
493
|
+
|
|
494
|
+
// Template placeholder Math.random should be skipped entirely or INFO at most
|
|
495
|
+
expect(mathRandomFindings.length).toBe(0)
|
|
496
|
+
})
|
|
497
|
+
|
|
498
|
+
it('should skip Math.random in Three.js animation', async () => {
|
|
499
|
+
// Three.js uses Math.random for visual effects, not security
|
|
500
|
+
const file: ScanFile = {
|
|
501
|
+
path: 'src/components/ParticleField.tsx',
|
|
502
|
+
content: `
|
|
503
|
+
import { useFrame } from '@react-three/fiber'
|
|
504
|
+
import { useMemo } from 'react'
|
|
505
|
+
|
|
506
|
+
export function ParticleField() {
|
|
507
|
+
const offset = useMemo(() => Math.random() * Math.PI * 2, [])
|
|
508
|
+
const speed = useMemo(() => 0.5 + Math.random() * 0.5, [])
|
|
509
|
+
|
|
510
|
+
useFrame((state) => {
|
|
511
|
+
// Animation logic using random offset
|
|
512
|
+
meshRef.current.rotation.y = state.clock.elapsedTime * speed + offset
|
|
513
|
+
})
|
|
514
|
+
|
|
515
|
+
return <mesh ref={meshRef}><sphereGeometry /></mesh>
|
|
516
|
+
}
|
|
517
|
+
`,
|
|
518
|
+
language: 'typescript',
|
|
519
|
+
size: 400,
|
|
520
|
+
}
|
|
521
|
+
|
|
522
|
+
const findings = await scanFile(file)
|
|
523
|
+
const mathRandomFindings = findByCategory(findings, 'dangerous_function').filter(f =>
|
|
524
|
+
f.title?.toLowerCase().includes('math.random')
|
|
525
|
+
)
|
|
526
|
+
|
|
527
|
+
// Three.js animation Math.random should be skipped entirely
|
|
528
|
+
expect(mathRandomFindings.length).toBe(0)
|
|
529
|
+
})
|
|
530
|
+
|
|
531
|
+
it('should skip regex with same-line escaping', async () => {
|
|
532
|
+
// Escaping on the same line as RegExp is safe
|
|
533
|
+
const file: ScanFile = {
|
|
534
|
+
path: 'src/utils/search.ts',
|
|
535
|
+
content: `
|
|
536
|
+
export function createSearchRegex(input: string) {
|
|
537
|
+
// Same-line escaping pattern - escapeRegExp function
|
|
538
|
+
return new RegExp(escapeRegExp(input), 'gi')
|
|
539
|
+
}
|
|
540
|
+
|
|
541
|
+
export function escapeAndCreate(pattern: string) {
|
|
542
|
+
const escaped = escapeRegExp(pattern)
|
|
543
|
+
return new RegExp(escaped)
|
|
544
|
+
}
|
|
545
|
+
|
|
546
|
+
function escapeRegExp(str: string) {
|
|
547
|
+
return str.replace(/[.*+?^\${}()|[\\]\\\\]/g, '\\\\$&')
|
|
548
|
+
}
|
|
549
|
+
`,
|
|
550
|
+
language: 'typescript',
|
|
551
|
+
size: 300,
|
|
552
|
+
}
|
|
553
|
+
|
|
554
|
+
const findings = await scanFile(file)
|
|
555
|
+
const regexFindings = findByCategory(findings, 'dangerous_function').filter(f =>
|
|
556
|
+
f.title?.toLowerCase().includes('regex')
|
|
557
|
+
)
|
|
558
|
+
|
|
559
|
+
// Escaped regex should be skipped
|
|
560
|
+
expect(regexFindings.length).toBe(0)
|
|
561
|
+
})
|
|
562
|
+
|
|
563
|
+
it('should downgrade file path in desktop app to INFO', async () => {
|
|
564
|
+
// Desktop apps legitimately access filesystem
|
|
565
|
+
const file: ScanFile = {
|
|
566
|
+
path: 'apps/desktop/src/main/fileService.ts',
|
|
567
|
+
content: `
|
|
568
|
+
import fs from 'fs'
|
|
569
|
+
import path from 'path'
|
|
570
|
+
|
|
571
|
+
export function readUserFile(filename: string) {
|
|
572
|
+
const userPath = path.join(app.getPath('userData'), filename)
|
|
573
|
+
return fs.readFileSync(userPath, 'utf-8')
|
|
574
|
+
}
|
|
575
|
+
`,
|
|
576
|
+
language: 'typescript',
|
|
577
|
+
size: 200,
|
|
578
|
+
}
|
|
579
|
+
|
|
580
|
+
const findings = await scanFile(file)
|
|
581
|
+
const filePathFindings = findByCategory(findings, 'dangerous_function').filter(f =>
|
|
582
|
+
f.title?.toLowerCase().includes('file path') || f.title?.toLowerCase().includes('path traversal')
|
|
583
|
+
)
|
|
584
|
+
|
|
585
|
+
// Desktop app file paths should be INFO (not MEDIUM/HIGH)
|
|
586
|
+
for (const f of filePathFindings) {
|
|
587
|
+
expect(['info', 'low']).toContain(f.severity)
|
|
588
|
+
}
|
|
589
|
+
})
|
|
590
|
+
|
|
591
|
+
it('should downgrade child_process in desktop app to MEDIUM', async () => {
|
|
592
|
+
// Desktop apps legitimately spawn processes
|
|
593
|
+
const file: ScanFile = {
|
|
594
|
+
path: 'packages/electron-app/src/ipcHandlers.ts',
|
|
595
|
+
content: `
|
|
596
|
+
import { ipcMain } from 'electron'
|
|
597
|
+
import { spawn } from 'child_process'
|
|
598
|
+
|
|
599
|
+
ipcMain.handle('run-command', async (event, command, args) => {
|
|
600
|
+
// Spawning processes in Electron is expected
|
|
601
|
+
const process = spawn(command, args)
|
|
602
|
+
return new Promise((resolve, reject) => {
|
|
603
|
+
let output = ''
|
|
604
|
+
process.stdout.on('data', (data) => output += data)
|
|
605
|
+
process.on('close', (code) => resolve({ code, output }))
|
|
606
|
+
process.on('error', reject)
|
|
607
|
+
})
|
|
608
|
+
})
|
|
609
|
+
`,
|
|
610
|
+
language: 'typescript',
|
|
611
|
+
size: 400,
|
|
612
|
+
}
|
|
613
|
+
|
|
614
|
+
const findings = await scanFile(file)
|
|
615
|
+
const childProcessFindings = findByCategory(findings, 'dangerous_function').filter(f =>
|
|
616
|
+
f.title?.toLowerCase().includes('child_process')
|
|
617
|
+
)
|
|
618
|
+
|
|
619
|
+
// Desktop app child_process should be MEDIUM (not HIGH/CRITICAL)
|
|
620
|
+
for (const f of childProcessFindings) {
|
|
621
|
+
expect(['info', 'low', 'medium']).toContain(f.severity)
|
|
622
|
+
}
|
|
623
|
+
})
|
|
624
|
+
|
|
625
|
+
it('should skip Math.random in load balancing context', async () => {
|
|
626
|
+
// Load balancing/selection uses Math.random for distribution, not security
|
|
627
|
+
const file: ScanFile = {
|
|
628
|
+
path: 'src/utils/loadBalancer.ts',
|
|
629
|
+
content: `
|
|
630
|
+
export function selectEndpoint(endpoints: string[], mode: 'random' | 'round-robin') {
|
|
631
|
+
if (mode === 'random') {
|
|
632
|
+
const index = Math.floor(Math.random() * endpoints.length)
|
|
633
|
+
return endpoints[index]
|
|
634
|
+
}
|
|
635
|
+
return endpoints[currentIndex++ % endpoints.length]
|
|
636
|
+
}
|
|
637
|
+
|
|
638
|
+
export function pickRandomServer(servers: Server[]) {
|
|
639
|
+
const keys = Object.keys(servers)
|
|
640
|
+
return servers[keys[Math.floor(Math.random() * keys.length)]]
|
|
641
|
+
}
|
|
642
|
+
`,
|
|
643
|
+
language: 'typescript',
|
|
644
|
+
size: 400,
|
|
645
|
+
}
|
|
646
|
+
|
|
647
|
+
const findings = await scanFile(file)
|
|
648
|
+
const mathRandomFindings = findByCategory(findings, 'dangerous_function').filter(f =>
|
|
649
|
+
f.title?.toLowerCase().includes('math.random')
|
|
650
|
+
)
|
|
651
|
+
|
|
652
|
+
// Load balancing Math.random should have info/low severity or be skipped
|
|
653
|
+
for (const f of mathRandomFindings) {
|
|
654
|
+
expect(['info', 'low']).toContain(f.severity)
|
|
655
|
+
}
|
|
656
|
+
})
|
|
657
|
+
})
|
|
658
|
+
|
|
659
|
+
describe('9. Security Headers Regressions', () => {
|
|
660
|
+
it('should NOT flag Express app with helmet as missing headers', async () => {
|
|
661
|
+
const file: ScanFile = {
|
|
662
|
+
path: 'src/server/app.ts',
|
|
663
|
+
content: `
|
|
664
|
+
import express from 'express'
|
|
665
|
+
import helmet from 'helmet'
|
|
666
|
+
|
|
667
|
+
const app = express()
|
|
668
|
+
app.use(helmet())
|
|
669
|
+
app.use(express.json())
|
|
670
|
+
|
|
671
|
+
app.get('/api/data', (req, res) => {
|
|
672
|
+
res.json({ ok: true })
|
|
673
|
+
})
|
|
674
|
+
`,
|
|
675
|
+
language: 'typescript',
|
|
676
|
+
size: 200,
|
|
677
|
+
}
|
|
678
|
+
|
|
679
|
+
const findings = await scanFile(file)
|
|
680
|
+
const headerFindings = findByCategory(findings, 'missing_security_headers')
|
|
681
|
+
// Express with helmet should have no medium+ findings
|
|
682
|
+
for (const f of headerFindings) {
|
|
683
|
+
expect(['info', 'low']).toContain(f.severity)
|
|
684
|
+
}
|
|
685
|
+
})
|
|
686
|
+
|
|
687
|
+
it('should NOT flag Next.js config with proper headers', async () => {
|
|
688
|
+
const file: ScanFile = {
|
|
689
|
+
path: 'next.config.mjs',
|
|
690
|
+
content: `
|
|
691
|
+
const nextConfig = {
|
|
692
|
+
async headers() {
|
|
693
|
+
return [
|
|
694
|
+
{
|
|
695
|
+
source: '/:path*',
|
|
696
|
+
headers: [
|
|
697
|
+
{ key: 'X-Frame-Options', value: 'DENY' },
|
|
698
|
+
{ key: 'Strict-Transport-Security', value: 'max-age=31536000' },
|
|
699
|
+
],
|
|
700
|
+
},
|
|
701
|
+
]
|
|
702
|
+
},
|
|
703
|
+
}
|
|
704
|
+
export default nextConfig
|
|
705
|
+
`,
|
|
706
|
+
language: 'javascript',
|
|
707
|
+
size: 300,
|
|
708
|
+
}
|
|
709
|
+
|
|
710
|
+
const findings = await scanFile(file)
|
|
711
|
+
const headerFindings = findByCategory(findings, 'missing_security_headers')
|
|
712
|
+
expect(headerFindings.length).toBe(0)
|
|
713
|
+
})
|
|
714
|
+
|
|
715
|
+
it('should NOT flag client-side React component for server headers', async () => {
|
|
716
|
+
const file: ScanFile = {
|
|
717
|
+
path: 'src/components/App.tsx',
|
|
718
|
+
content: `
|
|
719
|
+
'use client'
|
|
720
|
+
|
|
721
|
+
export function App() {
|
|
722
|
+
return <div>Hello</div>
|
|
723
|
+
}
|
|
724
|
+
`,
|
|
725
|
+
language: 'typescript',
|
|
726
|
+
size: 100,
|
|
727
|
+
}
|
|
728
|
+
|
|
729
|
+
const findings = await scanFile(file)
|
|
730
|
+
const headerFindings = findByCategory(findings, 'missing_security_headers')
|
|
731
|
+
expect(headerFindings.length).toBe(0)
|
|
732
|
+
})
|
|
733
|
+
})
|
|
734
|
+
|
|
735
|
+
describe('10. SSRF Regressions', () => {
|
|
736
|
+
it('should NOT flag fetch with env var URL', async () => {
|
|
737
|
+
const file: ScanFile = {
|
|
738
|
+
path: 'src/api/internal.ts',
|
|
739
|
+
content: `
|
|
740
|
+
const API_URL = process.env.API_URL
|
|
741
|
+
|
|
742
|
+
export async function getData() {
|
|
743
|
+
const response = await fetch(API_URL + '/data')
|
|
744
|
+
return response.json()
|
|
745
|
+
}
|
|
746
|
+
`,
|
|
747
|
+
language: 'typescript',
|
|
748
|
+
size: 150,
|
|
749
|
+
}
|
|
750
|
+
|
|
751
|
+
const findings = await scanFile(file)
|
|
752
|
+
const ssrfFindings = findByCategory(findings, 'ssrf')
|
|
753
|
+
expect(ssrfFindings.length).toBe(0)
|
|
754
|
+
})
|
|
755
|
+
|
|
756
|
+
it('should NOT flag client-side fetch as SSRF', async () => {
|
|
757
|
+
const file: ScanFile = {
|
|
758
|
+
path: 'src/components/Search.tsx',
|
|
759
|
+
content: `
|
|
760
|
+
'use client'
|
|
761
|
+
|
|
762
|
+
import { useState } from 'react'
|
|
763
|
+
|
|
764
|
+
export function Search() {
|
|
765
|
+
const [q, setQ] = useState('')
|
|
766
|
+
|
|
767
|
+
const search = async () => {
|
|
768
|
+
const res = await fetch(\`/api/search?q=\${q}\`)
|
|
769
|
+
return res.json()
|
|
770
|
+
}
|
|
771
|
+
|
|
772
|
+
return <input value={q} onChange={(e) => setQ(e.target.value)} />
|
|
773
|
+
}
|
|
774
|
+
`,
|
|
775
|
+
language: 'typescript',
|
|
776
|
+
size: 250,
|
|
777
|
+
}
|
|
778
|
+
|
|
779
|
+
const findings = await scanFile(file)
|
|
780
|
+
const ssrfFindings = findByCategory(findings, 'ssrf')
|
|
781
|
+
expect(ssrfFindings.length).toBe(0)
|
|
782
|
+
})
|
|
783
|
+
|
|
784
|
+
it('should NOT flag fetch with allowlist validation', async () => {
|
|
785
|
+
const file: ScanFile = {
|
|
786
|
+
path: 'src/api/proxy.ts',
|
|
787
|
+
content: `
|
|
788
|
+
import express from 'express'
|
|
789
|
+
const allowedDomains = ['api.example.com']
|
|
790
|
+
const app = express()
|
|
791
|
+
|
|
792
|
+
app.post('/proxy', async (req, res) => {
|
|
793
|
+
const url = req.body.url
|
|
794
|
+
const parsed = new URL(url)
|
|
795
|
+
if (!allowedDomains.includes(parsed.hostname)) {
|
|
796
|
+
return res.status(403).json({ error: 'blocked' })
|
|
797
|
+
}
|
|
798
|
+
const response = await fetch(url)
|
|
799
|
+
res.json(await response.json())
|
|
800
|
+
})
|
|
801
|
+
`,
|
|
802
|
+
language: 'typescript',
|
|
803
|
+
size: 300,
|
|
804
|
+
}
|
|
805
|
+
|
|
806
|
+
const findings = await scanFile(file)
|
|
807
|
+
const ssrfFindings = findByCategory(findings, 'ssrf')
|
|
808
|
+
expect(ssrfFindings.length).toBe(0)
|
|
809
|
+
})
|
|
810
|
+
})
|
|
811
|
+
|
|
812
|
+
describe('11. Log Injection Regressions', () => {
|
|
813
|
+
it('should NOT flag console.error(err) in catch block', async () => {
|
|
814
|
+
const file: ScanFile = {
|
|
815
|
+
path: 'src/services/api.ts',
|
|
816
|
+
content: `
|
|
817
|
+
export async function fetchData() {
|
|
818
|
+
try {
|
|
819
|
+
return await fetch('/api').then(r => r.json())
|
|
820
|
+
} catch (err) {
|
|
821
|
+
console.error(err)
|
|
822
|
+
throw err
|
|
823
|
+
}
|
|
824
|
+
}
|
|
825
|
+
`,
|
|
826
|
+
language: 'typescript',
|
|
827
|
+
size: 150,
|
|
828
|
+
}
|
|
829
|
+
|
|
830
|
+
const findings = await scanFile(file)
|
|
831
|
+
const logFindings = findByCategory(findings, 'log_injection')
|
|
832
|
+
expect(logFindings.length).toBe(0)
|
|
833
|
+
})
|
|
834
|
+
|
|
835
|
+
it('should NOT flag static string logging', async () => {
|
|
836
|
+
const file: ScanFile = {
|
|
837
|
+
path: 'src/server/init.ts',
|
|
838
|
+
content: `
|
|
839
|
+
const logger = require('pino')()
|
|
840
|
+
|
|
841
|
+
logger.info('Server started on port 3000')
|
|
842
|
+
logger.info('Environment: production')
|
|
843
|
+
console.log('Ready')
|
|
844
|
+
`,
|
|
845
|
+
language: 'typescript',
|
|
846
|
+
size: 100,
|
|
847
|
+
}
|
|
848
|
+
|
|
849
|
+
const findings = await scanFile(file)
|
|
850
|
+
const logFindings = findByCategory(findings, 'log_injection')
|
|
851
|
+
expect(logFindings.length).toBe(0)
|
|
852
|
+
})
|
|
853
|
+
|
|
854
|
+
it('should NOT flag logging internal IDs', async () => {
|
|
855
|
+
const file: ScanFile = {
|
|
856
|
+
path: 'src/services/user.ts',
|
|
857
|
+
content: `
|
|
858
|
+
const logger = require('pino')()
|
|
859
|
+
|
|
860
|
+
export function processUser(user: { id: string }) {
|
|
861
|
+
logger.info({ userId: user.id })
|
|
862
|
+
console.log('Processing user:', user.id)
|
|
863
|
+
}
|
|
864
|
+
`,
|
|
865
|
+
language: 'typescript',
|
|
866
|
+
size: 150,
|
|
867
|
+
}
|
|
868
|
+
|
|
869
|
+
const findings = await scanFile(file)
|
|
870
|
+
const logFindings = findByCategory(findings, 'log_injection')
|
|
871
|
+
expect(logFindings.length).toBe(0)
|
|
872
|
+
})
|
|
873
|
+
|
|
874
|
+
it('should NOT flag Morgan middleware', async () => {
|
|
875
|
+
const file: ScanFile = {
|
|
876
|
+
path: 'src/server/app.ts',
|
|
877
|
+
content: `
|
|
878
|
+
import express from 'express'
|
|
879
|
+
import morgan from 'morgan'
|
|
880
|
+
|
|
881
|
+
const app = express()
|
|
882
|
+
app.use(morgan('combined'))
|
|
883
|
+
|
|
884
|
+
app.get('/api/data', (req, res) => {
|
|
885
|
+
res.json({ ok: true })
|
|
886
|
+
})
|
|
887
|
+
`,
|
|
888
|
+
language: 'typescript',
|
|
889
|
+
size: 150,
|
|
890
|
+
}
|
|
891
|
+
|
|
892
|
+
const findings = await scanFile(file)
|
|
893
|
+
const logFindings = findByCategory(findings, 'log_injection')
|
|
894
|
+
expect(logFindings.length).toBe(0)
|
|
895
|
+
})
|
|
896
|
+
})
|
|
897
|
+
|
|
898
|
+
describe('12. XXE Regressions', () => {
|
|
899
|
+
it('should NOT flag Python file with defusedxml import', async () => {
|
|
900
|
+
const file: ScanFile = {
|
|
901
|
+
path: 'src/parser.py',
|
|
902
|
+
content: `
|
|
903
|
+
import defusedxml.ElementTree as ET
|
|
904
|
+
|
|
905
|
+
def parse_xml(data):
|
|
906
|
+
tree = ET.parse(data)
|
|
907
|
+
return tree.getroot()
|
|
908
|
+
`,
|
|
909
|
+
language: 'python',
|
|
910
|
+
size: 100,
|
|
911
|
+
}
|
|
912
|
+
|
|
913
|
+
const findings = await scanFile(file)
|
|
914
|
+
const xxeFindings = findByCategory(findings, 'xxe')
|
|
915
|
+
expect(xxeFindings.length).toBe(0)
|
|
916
|
+
})
|
|
917
|
+
|
|
918
|
+
it('should NOT flag Java with DTD disabled', async () => {
|
|
919
|
+
const file: ScanFile = {
|
|
920
|
+
path: 'src/XmlService.java',
|
|
921
|
+
content: `
|
|
922
|
+
import javax.xml.parsers.DocumentBuilderFactory;
|
|
923
|
+
|
|
924
|
+
public class SafeXml {
|
|
925
|
+
public void parse(String xml) throws Exception {
|
|
926
|
+
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
|
927
|
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
928
|
+
factory.newDocumentBuilder().parse(xml);
|
|
929
|
+
}
|
|
930
|
+
}
|
|
931
|
+
`,
|
|
932
|
+
language: 'java',
|
|
933
|
+
size: 200,
|
|
934
|
+
}
|
|
935
|
+
|
|
936
|
+
const findings = await scanFile(file)
|
|
937
|
+
const xxeFindings = findByCategory(findings, 'xxe')
|
|
938
|
+
expect(xxeFindings.length).toBe(0)
|
|
939
|
+
})
|
|
940
|
+
|
|
941
|
+
it('should produce info at most for XML parsing in test file', async () => {
|
|
942
|
+
const file: ScanFile = {
|
|
943
|
+
path: 'src/__tests__/xml.test.ts',
|
|
944
|
+
content: `
|
|
945
|
+
import xml2js from 'xml2js'
|
|
946
|
+
|
|
947
|
+
describe('XML parsing', () => {
|
|
948
|
+
it('parses XML', () => {
|
|
949
|
+
xml2js.parseString('<root/>', (err, result) => {
|
|
950
|
+
expect(result).toBeDefined()
|
|
951
|
+
})
|
|
952
|
+
})
|
|
953
|
+
})
|
|
954
|
+
`,
|
|
955
|
+
language: 'typescript',
|
|
956
|
+
size: 150,
|
|
957
|
+
}
|
|
958
|
+
|
|
959
|
+
const findings = await scanFile(file)
|
|
960
|
+
const xxeFindings = findByCategory(findings, 'xxe')
|
|
961
|
+
for (const f of xxeFindings) {
|
|
962
|
+
expect(f.severity).toBe('info')
|
|
963
|
+
}
|
|
964
|
+
})
|
|
965
|
+
})
|
|
966
|
+
|
|
967
|
+
describe('13. Sprint 5 FP Fixes', () => {
|
|
968
|
+
it('should skip regex with multi-line .replaceAll escaping', async () => {
|
|
969
|
+
// Multi-line escaping pattern - escaping happens on previous lines before RegExp
|
|
970
|
+
const file: ScanFile = {
|
|
971
|
+
path: 'src/utils/matcher.ts',
|
|
972
|
+
content: `
|
|
973
|
+
const regexStr = pattern
|
|
974
|
+
.replaceAll(/[$()*+.?[\\]^{|}]/g, '\\\\$&')
|
|
975
|
+
.replaceAll('\\\\(.*\\\\)', '.*');
|
|
976
|
+
return new RegExp(\`^\${regexStr}$\`);
|
|
977
|
+
`,
|
|
978
|
+
language: 'typescript',
|
|
979
|
+
size: 200,
|
|
980
|
+
}
|
|
981
|
+
const findings = await scanFile(file)
|
|
982
|
+
const regexFindings = findByCategory(findings, 'dangerous_function')
|
|
983
|
+
.filter(f => f.title?.toLowerCase().includes('regex'))
|
|
984
|
+
expect(regexFindings.length).toBe(0)
|
|
985
|
+
})
|
|
986
|
+
|
|
987
|
+
it('should skip new RegExp(existingRegex.source)', async () => {
|
|
988
|
+
// Using .source from an existing RegExp is safe - it's already validated
|
|
989
|
+
const file: ScanFile = {
|
|
990
|
+
path: 'src/utils/regex.ts',
|
|
991
|
+
content: `
|
|
992
|
+
const globalPattern = pattern.global
|
|
993
|
+
? pattern
|
|
994
|
+
: new RegExp(pattern.source, pattern.flags + 'g');
|
|
995
|
+
`,
|
|
996
|
+
language: 'typescript',
|
|
997
|
+
size: 150,
|
|
998
|
+
}
|
|
999
|
+
const findings = await scanFile(file)
|
|
1000
|
+
const regexFindings = findByCategory(findings, 'dangerous_function')
|
|
1001
|
+
.filter(f => f.title?.toLowerCase().includes('regex'))
|
|
1002
|
+
expect(regexFindings.length).toBe(0)
|
|
1003
|
+
})
|
|
1004
|
+
|
|
1005
|
+
it('should skip readdir + pMap iteration', async () => {
|
|
1006
|
+
// Paths from fs.readdir iterated via pMap are filesystem-controlled
|
|
1007
|
+
const file: ScanFile = {
|
|
1008
|
+
path: 'src/cache/reader.ts',
|
|
1009
|
+
content: `
|
|
1010
|
+
import fs from 'fs/promises'
|
|
1011
|
+
import pMap from 'p-map'
|
|
1012
|
+
|
|
1013
|
+
const files = await fs.readdir(cachePath);
|
|
1014
|
+
const results = await pMap(files, async (file) => {
|
|
1015
|
+
return fs.readFile(\`\${cachePath}/\${file}\`);
|
|
1016
|
+
});
|
|
1017
|
+
`,
|
|
1018
|
+
language: 'typescript',
|
|
1019
|
+
size: 200,
|
|
1020
|
+
}
|
|
1021
|
+
const findings = await scanFile(file)
|
|
1022
|
+
const pathFindings = findByCategory(findings, 'dangerous_function')
|
|
1023
|
+
.filter(f => f.title?.toLowerCase().includes('file path') || f.title?.toLowerCase().includes('path traversal'))
|
|
1024
|
+
expect(pathFindings.length).toBe(0)
|
|
1025
|
+
})
|
|
1026
|
+
|
|
1027
|
+
it('should skip readdir + .map() iteration', async () => {
|
|
1028
|
+
// Paths from fs.readdir iterated via .map() are filesystem-controlled
|
|
1029
|
+
const file: ScanFile = {
|
|
1030
|
+
path: 'src/cache/loader.ts',
|
|
1031
|
+
content: `
|
|
1032
|
+
import fs from 'fs/promises'
|
|
1033
|
+
|
|
1034
|
+
const files = await fs.readdir(cachePath);
|
|
1035
|
+
const results = files.map((file) => {
|
|
1036
|
+
return \`\${cachePath}/\${file}\`;
|
|
1037
|
+
});
|
|
1038
|
+
`,
|
|
1039
|
+
language: 'typescript',
|
|
1040
|
+
size: 200,
|
|
1041
|
+
}
|
|
1042
|
+
const findings = await scanFile(file)
|
|
1043
|
+
const pathFindings = findByCategory(findings, 'dangerous_function')
|
|
1044
|
+
.filter(f => f.title?.toLowerCase().includes('file path') || f.title?.toLowerCase().includes('path traversal'))
|
|
1045
|
+
expect(pathFindings.length).toBe(0)
|
|
1046
|
+
})
|
|
1047
|
+
|
|
1048
|
+
it('should skip readdir + Promise.all iteration', async () => {
|
|
1049
|
+
// Paths from fs.readdir with Promise.all mapping are filesystem-controlled
|
|
1050
|
+
const file: ScanFile = {
|
|
1051
|
+
path: 'src/cache/processor.ts',
|
|
1052
|
+
content: `
|
|
1053
|
+
import fs from 'fs/promises'
|
|
1054
|
+
|
|
1055
|
+
const files = await fs.readdir(cachePath);
|
|
1056
|
+
const results = await Promise.all(files.map(async (file) => {
|
|
1057
|
+
return fs.readFile(\`\${cachePath}/\${file}\`);
|
|
1058
|
+
}));
|
|
1059
|
+
`,
|
|
1060
|
+
language: 'typescript',
|
|
1061
|
+
size: 200,
|
|
1062
|
+
}
|
|
1063
|
+
const findings = await scanFile(file)
|
|
1064
|
+
const pathFindings = findByCategory(findings, 'dangerous_function')
|
|
1065
|
+
.filter(f => f.title?.toLowerCase().includes('file path') || f.title?.toLowerCase().includes('path traversal'))
|
|
1066
|
+
expect(pathFindings.length).toBe(0)
|
|
1067
|
+
})
|
|
1068
|
+
|
|
1069
|
+
it('should skip Object.entries over hardcoded object', async () => {
|
|
1070
|
+
// Iterating over hardcoded objects is safe - not user input
|
|
1071
|
+
const file: ScanFile = {
|
|
1072
|
+
path: 'src/fonts/loader.ts',
|
|
1073
|
+
content: `
|
|
1074
|
+
import fs from 'fs/promises'
|
|
1075
|
+
|
|
1076
|
+
const fontFiles = {
|
|
1077
|
+
'font1.ttf': 'https://example.com/font1.ttf',
|
|
1078
|
+
'font2.ttf': 'https://example.com/font2.ttf',
|
|
1079
|
+
};
|
|
1080
|
+
for (const [filename, url] of Object.entries(fontFiles)) {
|
|
1081
|
+
await fs.writeFile(\`/fonts/\${filename}\`, await fetch(url).then(r => r.arrayBuffer()));
|
|
1082
|
+
}
|
|
1083
|
+
`,
|
|
1084
|
+
language: 'typescript',
|
|
1085
|
+
size: 250,
|
|
1086
|
+
}
|
|
1087
|
+
const findings = await scanFile(file)
|
|
1088
|
+
const pathFindings = findByCategory(findings, 'dangerous_function')
|
|
1089
|
+
.filter(f => f.title?.toLowerCase().includes('file path') || f.title?.toLowerCase().includes('path traversal'))
|
|
1090
|
+
expect(pathFindings.length).toBe(0)
|
|
1091
|
+
})
|
|
1092
|
+
|
|
1093
|
+
it('should skip static subprocess list args split across multiple lines', async () => {
|
|
1094
|
+
// Multi-line subprocess.Popen(["xprop", "-root", ...]) is safe — all static strings
|
|
1095
|
+
const file: ScanFile = {
|
|
1096
|
+
path: 'utils/wtf.py',
|
|
1097
|
+
content: `
|
|
1098
|
+
import subprocess
|
|
1099
|
+
|
|
1100
|
+
def get_active_window():
|
|
1101
|
+
output = subprocess.Popen(
|
|
1102
|
+
["xprop", "-root", "_NET_ACTIVE_WINDOW"],
|
|
1103
|
+
stdout=subprocess.PIPE
|
|
1104
|
+
).communicate()[0]
|
|
1105
|
+
return output
|
|
1106
|
+
`,
|
|
1107
|
+
language: 'python',
|
|
1108
|
+
size: 200,
|
|
1109
|
+
}
|
|
1110
|
+
const findings = await scanFile(file)
|
|
1111
|
+
const subprocessFindings = findByCategory(findings, 'dangerous_function')
|
|
1112
|
+
.filter(f => f.title?.toLowerCase().includes('subprocess') || f.title?.toLowerCase().includes('os.system'))
|
|
1113
|
+
// Static multi-line list args should produce no HIGH finding
|
|
1114
|
+
for (const f of subprocessFindings) {
|
|
1115
|
+
expect(['info', 'low']).toContain(f.severity)
|
|
1116
|
+
}
|
|
1117
|
+
// Actually should be fully skipped (all static)
|
|
1118
|
+
expect(subprocessFindings.length).toBe(0)
|
|
1119
|
+
})
|
|
1120
|
+
|
|
1121
|
+
it('should produce LOW for multi-line subprocess list with variable args', async () => {
|
|
1122
|
+
// subprocess.Popen(["xwininfo", "-id", window_id]) — list with a variable
|
|
1123
|
+
const file: ScanFile = {
|
|
1124
|
+
path: 'utils/wtf.py',
|
|
1125
|
+
content: `
|
|
1126
|
+
import subprocess
|
|
1127
|
+
|
|
1128
|
+
def get_window_info(window_id):
|
|
1129
|
+
output = subprocess.Popen(
|
|
1130
|
+
["xwininfo", "-id", window_id],
|
|
1131
|
+
stdout=subprocess.PIPE
|
|
1132
|
+
).communicate()[0]
|
|
1133
|
+
return output
|
|
1134
|
+
`,
|
|
1135
|
+
language: 'python',
|
|
1136
|
+
size: 200,
|
|
1137
|
+
}
|
|
1138
|
+
const findings = await scanFile(file)
|
|
1139
|
+
const subprocessFindings = findByCategory(findings, 'dangerous_function')
|
|
1140
|
+
.filter(f => f.title?.toLowerCase().includes('subprocess') || f.title?.toLowerCase().includes('os.system'))
|
|
1141
|
+
// List args with variables should be LOW at most
|
|
1142
|
+
for (const f of subprocessFindings) {
|
|
1143
|
+
expect(['info', 'low']).toContain(f.severity)
|
|
1144
|
+
}
|
|
1145
|
+
})
|
|
1146
|
+
|
|
1147
|
+
it('should produce LOW for subprocess called with a variable that resolves to a list', async () => {
|
|
1148
|
+
// args = ["osascript", "-e", script]; subprocess.check_output(args, ...)
|
|
1149
|
+
const file: ScanFile = {
|
|
1150
|
+
path: 'utils/run_applescript.py',
|
|
1151
|
+
content: `
|
|
1152
|
+
import subprocess
|
|
1153
|
+
|
|
1154
|
+
def run_applescript(script):
|
|
1155
|
+
args = ["osascript", "-e", script]
|
|
1156
|
+
return subprocess.check_output(args, stderr=subprocess.PIPE).decode()
|
|
1157
|
+
`,
|
|
1158
|
+
language: 'python',
|
|
1159
|
+
size: 200,
|
|
1160
|
+
}
|
|
1161
|
+
const findings = await scanFile(file)
|
|
1162
|
+
const subprocessFindings = findByCategory(findings, 'dangerous_function')
|
|
1163
|
+
.filter(f => f.title?.toLowerCase().includes('subprocess') || f.title?.toLowerCase().includes('os.system'))
|
|
1164
|
+
// Variable resolving to list with dynamic element → LOW
|
|
1165
|
+
for (const f of subprocessFindings) {
|
|
1166
|
+
expect(['info', 'low']).toContain(f.severity)
|
|
1167
|
+
}
|
|
1168
|
+
})
|
|
1169
|
+
|
|
1170
|
+
it('should preserve HIGH for f-string direct arg to subprocess', async () => {
|
|
1171
|
+
// subprocess.check_output(f"curl {api_base}") — real command injection risk
|
|
1172
|
+
const file: ScanFile = {
|
|
1173
|
+
path: 'utils/system_debug_info.py',
|
|
1174
|
+
content: `
|
|
1175
|
+
import subprocess
|
|
1176
|
+
|
|
1177
|
+
def check_api(api_base):
|
|
1178
|
+
result = subprocess.check_output(f"curl {api_base}", shell=False)
|
|
1179
|
+
return result.decode()
|
|
1180
|
+
`,
|
|
1181
|
+
language: 'python',
|
|
1182
|
+
size: 150,
|
|
1183
|
+
}
|
|
1184
|
+
const findings = await scanFile(file)
|
|
1185
|
+
const subprocessFindings = findByCategory(findings, 'dangerous_function')
|
|
1186
|
+
.filter(f => f.title?.toLowerCase().includes('subprocess') || f.title?.toLowerCase().includes('os.system'))
|
|
1187
|
+
// f-string direct arg → HIGH (true positive)
|
|
1188
|
+
const hasSevere = subprocessFindings.some(f => f.severity === 'high' || f.severity === 'critical')
|
|
1189
|
+
expect(hasSevere).toBe(true)
|
|
1190
|
+
})
|
|
1191
|
+
|
|
1192
|
+
it('should preserve HIGH for subprocess with shell=True', async () => {
|
|
1193
|
+
// subprocess.run(f"cd {path} && semgrep", shell=True) — real injection risk
|
|
1194
|
+
const file: ScanFile = {
|
|
1195
|
+
path: 'utils/scan_code.py',
|
|
1196
|
+
content: `
|
|
1197
|
+
import subprocess
|
|
1198
|
+
|
|
1199
|
+
def scan(path):
|
|
1200
|
+
result = subprocess.run(
|
|
1201
|
+
f"cd {path} && semgrep --config auto",
|
|
1202
|
+
shell=True,
|
|
1203
|
+
capture_output=True
|
|
1204
|
+
)
|
|
1205
|
+
return result.stdout.decode()
|
|
1206
|
+
`,
|
|
1207
|
+
language: 'python',
|
|
1208
|
+
size: 200,
|
|
1209
|
+
}
|
|
1210
|
+
const findings = await scanFile(file)
|
|
1211
|
+
const subprocessFindings = findByCategory(findings, 'dangerous_function')
|
|
1212
|
+
.filter(f => f.title?.toLowerCase().includes('subprocess') || f.title?.toLowerCase().includes('os.system'))
|
|
1213
|
+
// shell=True → HIGH (true positive)
|
|
1214
|
+
const hasSevere = subprocessFindings.some(f => f.severity === 'high' || f.severity === 'critical')
|
|
1215
|
+
expect(hasSevere).toBe(true)
|
|
1216
|
+
})
|
|
1217
|
+
|
|
1218
|
+
it('should skip subprocess.run with static list args on single line', async () => {
|
|
1219
|
+
// subprocess.run(["ollama", "list"], ...) — fully static, single line
|
|
1220
|
+
const file: ScanFile = {
|
|
1221
|
+
path: 'utils/local_setup.py',
|
|
1222
|
+
content: `
|
|
1223
|
+
import subprocess
|
|
1224
|
+
|
|
1225
|
+
def check_ollama():
|
|
1226
|
+
result = subprocess.run(
|
|
1227
|
+
["ollama", "list"],
|
|
1228
|
+
capture_output=True, text=True
|
|
1229
|
+
)
|
|
1230
|
+
return result.stdout
|
|
1231
|
+
`,
|
|
1232
|
+
language: 'python',
|
|
1233
|
+
size: 150,
|
|
1234
|
+
}
|
|
1235
|
+
const findings = await scanFile(file)
|
|
1236
|
+
const subprocessFindings = findByCategory(findings, 'dangerous_function')
|
|
1237
|
+
.filter(f => f.title?.toLowerCase().includes('subprocess') || f.title?.toLowerCase().includes('os.system'))
|
|
1238
|
+
expect(subprocessFindings.length).toBe(0)
|
|
1239
|
+
})
|
|
1240
|
+
|
|
1241
|
+
it('should skip Object.keys over hardcoded object for file paths', async () => {
|
|
1242
|
+
// Object.keys over const object is also safe
|
|
1243
|
+
const file: ScanFile = {
|
|
1244
|
+
path: 'src/assets/loader.ts',
|
|
1245
|
+
content: `
|
|
1246
|
+
import fs from 'fs/promises'
|
|
1247
|
+
|
|
1248
|
+
const assetPaths = {
|
|
1249
|
+
logo: '/assets/logo.png',
|
|
1250
|
+
icon: '/assets/icon.svg',
|
|
1251
|
+
};
|
|
1252
|
+
for (const key of Object.keys(assetPaths)) {
|
|
1253
|
+
await fs.access(\`/public/\${key}\`);
|
|
1254
|
+
}
|
|
1255
|
+
`,
|
|
1256
|
+
language: 'typescript',
|
|
1257
|
+
size: 200,
|
|
1258
|
+
}
|
|
1259
|
+
const findings = await scanFile(file)
|
|
1260
|
+
const pathFindings = findByCategory(findings, 'dangerous_function')
|
|
1261
|
+
.filter(f => f.title?.toLowerCase().includes('file path') || f.title?.toLowerCase().includes('path traversal'))
|
|
1262
|
+
expect(pathFindings.length).toBe(0)
|
|
1263
|
+
})
|
|
1264
|
+
})
|
|
467
1265
|
})
|