@oculum/scanner 1.0.11 → 1.0.13

package/src/detect/structural/log-injection.ts

@@ -0,0 +1,254 @@
+/**
+ * Layer 2: Log Injection Detector
+ * Detects unsanitized user input flowing into log statements
+ *
+ * OWASP A09:2021 - Security Logging and Monitoring Failures
+ * CWE-117: Improper Output Neutralization for Logs
+ */
+
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import {
+  isComment,
+  isTestOrMockFile,
+  isScannerOrFixtureFile,
+} from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.35
+
+interface LogInjectionOptions {
+  parsed?: ParsedFile
+}
+
+/** Log sink patterns */
+const LOG_SINK_PATTERNS = [
+  /console\.(?:log|info|warn|error|debug|trace)\s*\(/,
+  /logger\.(?:log|info|warn|error|debug|trace|fatal|silly|verbose)\s*\(/,
+  /(?:winston|pino|bunyan|log4js|signale)\.(?:log|info|warn|error|debug)\s*\(/,
+  /log\.(?:info|warn|error|debug|trace|fatal)\s*\(/,
+]
+
+/** User-controlled request data patterns */
+const USER_INPUT_PATTERNS = [
+  /(?:req|request|ctx\.request)\.(?:body|query|params)(?:\.\w+|\[['"][^'"]+['"]\])/,
+  /(?:req|request)\.headers(?:\.\w+|\[['"][^'"]+['"]\])/,
+]
+
+/** Error/catch variable names to exclude */
+const ERROR_VAR_PATTERN = /\b(?:err|error|e|ex|exception)\b/
+
+/** Patterns that are NOT user input (internal/app data) */
+const NOT_USER_INPUT_PATTERNS = [
+  // Error objects in catch blocks
+  /\bcatch\s*\(\s*(?:err|error|e|ex|exception)\b/,
+  // Internal IDs
+  /(?:user|session|tenant|org|account)\.id\b/,
+  /(?:userId|sessionId|tenantId|orgId|accountId)\b/,
+  // Internal state
+  /\.length\b/,
+  /\.count\b/,
+  /\.size\b/,
+  /\.status\b/,
+]
+
+/** Middleware logging patterns to skip entirely */
+const MIDDLEWARE_LOGGING = /(?:app|server|router)\.use\s*\(\s*(?:morgan|pino|express-winston|express\.logger)/
+
+/** Sanitization patterns near log line */
+const SANITIZATION_PATTERNS = [
+  /\.replace\s*\(\s*\/\[\\r\\n\]/,
+  /sanitize\s*\(/,
+  /escape\s*\(/,
+  /encodeURI(?:Component)?\s*\(/,
+  /stripNewlines?\s*\(/,
+  /\.replace\s*\(\s*\/[\r\n]/,
+]
+
+/**
+ * Check if a log line contains user input (not just error objects)
+ */
+function containsUserInput(line: string, lines: string[], lineIndex: number): {
+  found: boolean
+  type: 'header' | 'body' | 'spread' | 'stringify'
+} {
+  // Check for req.headers in log
+  if (/(?:req|request)\.headers/.test(line)) {
+    return { found: true, type: 'header' }
+  }
+
+  // Check for req.body/query/params in log
+  if (/(?:req|request|ctx\.request)\.(?:body|query|params)(?:\.\w+|\[)/.test(line)) {
+    return { found: true, type: 'body' }
+  }
+
+  // Check for spread of request body: console.log({ ...req.body })
+  if (/\.\.\.\s*(?:req|request|ctx\.request)\.(?:body|query|params)/.test(line)) {
+    return { found: true, type: 'spread' }
+  }
+
+  // Check for JSON.stringify(req.body) in log
+  if (/JSON\.stringify\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/.test(line)) {
+    return { found: true, type: 'stringify' }
+  }
+
+  // Check for template literal with user input
+  if (/`[^`]*\$\{[^}]*(?:req|request|ctx\.request)\.(?:body|query|params)[^}]*\}/.test(line)) {
+    return { found: true, type: 'body' }
+  }
+
+  // Multi-line log calls: check ±3 lines
+  for (let offset = -3; offset <= 3; offset++) {
+    if (offset === 0) continue
+    const idx = lineIndex + offset
+    if (idx < 0 || idx >= lines.length) continue
+    const nearLine = lines[idx]
+    if (USER_INPUT_PATTERNS.some(p => p.test(nearLine))) {
+      // Only flag if the nearby line is part of the same log call (open paren)
+      const fromStart = Math.min(lineIndex, idx)
+      const toEnd = Math.max(lineIndex, idx)
+      const block = lines.slice(fromStart, toEnd + 1).join('\n')
+      // Check for unclosed paren indicating multi-line call
+      const openParens = (block.match(/\(/g) || []).length
+      const closeParens = (block.match(/\)/g) || []).length
+      if (openParens > closeParens) {
+        if (/(?:req|request)\.headers/.test(nearLine)) {
+          return { found: true, type: 'header' }
+        }
+        return { found: true, type: 'body' }
+      }
+    }
+  }
+
+  return { found: false, type: 'body' }
+}
+
+/**
+ * Check if the log line is just error logging in a catch block
+ */
+function isErrorLogging(line: string, lines: string[], lineIndex: number): boolean {
+  // Direct error object logging: console.error(err), console.error(error)
+  if (/console\.(?:error|warn|log)\s*\(\s*(?:['"][^'"]*['"],?\s*)?(?:err|error|e|ex|exception)\s*\)/.test(line)) {
+    return true
+  }
+
+  // console.error('message', error) pattern
+  if (/console\.(?:error|warn|log)\s*\(\s*['"][^'"]*['"],\s*(?:err|error|e|ex|exception)\s*\)/.test(line)) {
+    return true
+  }
+
+  // error.message logging
+  if (/(?:err|error|e|ex|exception)\.(?:message|stack|name|code)\b/.test(line)) {
+    return true
+  }
+
+  // logger.error('msg', { error })
+  if (/logger\.(?:error|warn)\s*\(.*(?:err|error|e)\b/.test(line) && !USER_INPUT_PATTERNS.some(p => p.test(line))) {
+    return true
+  }
+
+  // Check if we're inside a catch block
+  for (let j = lineIndex - 1; j >= Math.max(0, lineIndex - 5); j--) {
+    if (/\bcatch\s*\(/.test(lines[j])) {
+      // We're in a catch block — check if the logged value is the error var
+      const catchMatch = lines[j].match(/catch\s*\(\s*(\w+)/)
+      if (catchMatch) {
+        const errorVar = catchMatch[1]
+        if (new RegExp(`\\b${errorVar}\\b`).test(line)) {
+          return true
+        }
+      }
+    }
+  }
+
+  return false
+}
+
+/**
+ * Check for sanitization near the log line
+ */
+function hasSanitization(lines: string[], lineIndex: number): boolean {
+  const start = Math.max(0, lineIndex - 3)
+  const end = Math.min(lines.length, lineIndex + 4)
+  const context = lines.slice(start, end).join('\n')
+  return SANITIZATION_PATTERNS.some(p => p.test(context))
+}
+
+/**
+ * Detect log injection patterns
+ */
+export function detectLogInjection(
+  content: string,
+  filePath: string,
+  options?: LogInjectionOptions
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+  if (isTestOrMockFile(filePath)) return vulnerabilities
+
+  // Skip Morgan/express middleware logging (intentional request logging)
+  if (MIDDLEWARE_LOGGING.test(content)) return vulnerabilities
+
+  const lines = options?.parsed?.lines ?? content.split('\n')
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (isComment(line)) continue
+
+    // Check if this line is a log sink
+    const isLogSink = LOG_SINK_PATTERNS.some(p => p.test(line))
+    if (!isLogSink) continue
+
+    // Skip error logging (not user input)
+    if (isErrorLogging(line, lines, i)) continue
+
+    // Check if user input flows to this log call
+    const userInput = containsUserInput(line, lines, i)
+    if (!userInput.found) continue
+
+    // Skip if sanitization is nearby
+    if (hasSanitization(lines, i)) continue
+
+    // Determine severity
+    let severity: VulnerabilitySeverity = 'low'
+    let title = 'Log injection: User input in log statement'
+    let description = ''
+
+    if (userInput.type === 'header') {
+      severity = 'medium'
+      title = 'Log injection: HTTP headers in log statement'
+      description =
+        'HTTP request headers are logged without sanitization. Headers can contain CRLF sequences that forge log entries or inject malicious content into log processing tools.'
+    } else if (userInput.type === 'spread' || userInput.type === 'stringify') {
+      severity = 'low'
+      title = 'Log injection: Entire request body logged'
+      description =
+        'Entire request body is logged, which may contain unsanitized user input. This can lead to log forging, log injection, or sensitive data exposure in logs.'
+    } else {
+      severity = 'low'
+      title = 'Log injection: Request data in log statement'
+      description =
+        'User-controlled request data flows into a log statement. Unsanitized input can forge log entries or inject newlines to create misleading log records.'
+    }
+
+    vulnerabilities.push({
+      id: `loginj-${filePath}-${i + 1}`,
+      filePath,
+      lineNumber: i + 1,
+      lineContent: line.trim(),
+      severity,
+      category: 'log_injection',
+      title,
+      description,
+      suggestedFix:
+        'Sanitize user input before logging (strip newlines and control characters). Use structured logging (JSON format) to prevent log forging.',
+      confidence: severity === 'medium' ? 'high' : 'medium',
+      baseConfidence: BASE_CONFIDENCE,
+      layer: 2,
+        source: 'structural' as const,
+      requiresAIValidation: severity !== 'medium',
+    })
+  }
+
+  return vulnerabilities
+}

package/src/{layer2 → detect/structural}/logic-gates.ts

@@ -3,8 +3,13 @@
  * Identifies security bypass patterns and dangerous logic flows
  */
 
-import type { Vulnerability } from '../types'
-import { isScannerOrFixtureFile } from '../utils/context-helpers'
+import type { Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import { isScannerOrFixtureFile } from '../../parse/file-classifier'
+import { isDisabledAuthComment } from '../../shared/comment-analyzer'
+import { isReactStateSetter, isActualRedirect } from '../../shared/intent-detector'
+
+const BASE_CONFIDENCE = 0.20
 
 interface LogicPattern {
   name: string
@@ -39,13 +44,9 @@ const LOGIC_PATTERNS: LogicPattern[] = [
     description: 'Hardcoded truthy condition may bypass authentication',
     suggestedFix: 'Remove hardcoded bypass and implement proper authentication check',
   },
-  {
-    name: 'Commented auth check',
-    pattern: /\/\/\s*(if|await|return).*auth|\/\/.*verify.*token|\/\/.*check.*permission/gi,
-    severity: 'high',
-    description: 'Commented out authentication/authorization code detected',
-    suggestedFix: 'Remove commented code or restore the security check',
-  },
+  // NOTE: 'Commented auth check' pattern has been replaced with smart comment analysis
+  // The isDisabledAuthComment() function distinguishes explanatory comments from disabled code
+  // This is handled specially in detectLogicGates() below
   // Skip validation patterns
   {
     name: 'Validation skip',
@@ -93,15 +94,20 @@ const LOGIC_PATTERNS: LogicPattern[] = [
     description: 'SSL/TLS certificate verification disabled',
     suggestedFix: 'Enable SSL verification to prevent man-in-the-middle attacks',
   },
-  // Insecure comparisons
+  // Insecure comparisons - ONLY flag actual secret comparisons
+  // Timing attacks are only relevant when comparing cryptographic secrets
+  // Do NOT flag: error codes, UI state, null checks, empty strings, route IDs, type checks
   {
     name: 'Timing attack vulnerable comparison',
-    pattern: /===?\s*['"][^'"]{20,}['"]|password\s*===?\s*|token\s*===?\s*|secret\s*===?\s*/gi,
+    // Only match explicit secret-related variable names being compared with ===
+    // This avoids flagging general string comparisons which are not timing-sensitive
+    pattern: /\b(password|secret|token|apiKey|api_key|credential|hash|digest|signature|privateKey|private_key|secretKey|secret_key)\s*===?\s*['"][^'"]+['"]/gi,
     severity: 'medium',
-    description: 'Direct string comparison may be vulnerable to timing attacks',
+    description: 'Direct comparison of secret value may be vulnerable to timing attacks',
     suggestedFix: 'Use constant-time comparison for secrets (e.g., crypto.timingSafeEqual)',
   },
-  // Unsafe redirects
+  // Unsafe redirects - NOTE: Now uses intent detection to distinguish from React state setters
+  // The pattern is checked, but isReactStateSetter() is used to skip false positives
   {
     name: 'Open redirect vulnerability',
     pattern: /redirect\s*\(\s*(req\.(query|params|body)\.|request\.|url\.)/gi,
@@ -132,30 +138,39 @@ function isComment(line: string): boolean {
 
 export function detectLogicGates(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
   // Skip scanner/fixture files to avoid self-detection
   if (isScannerOrFixtureFile(filePath)) return vulnerabilities
 
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
 
   // Check each line against patterns
   lines.forEach((line, index) => {
-    // Don't skip comments for the "commented auth check" pattern
-    const shouldSkipComments = !line.trim().startsWith('//')
+    // Skip comment lines (handled separately below for auth comments)
+    if (isComment(line)) {
+      return
+    }
 
     for (const logicPattern of LOGIC_PATTERNS) {
-      // Skip comment lines for most patterns
-      if (shouldSkipComments && isComment(line) && 
-          logicPattern.name !== 'Commented auth check') {
-        continue
-      }
-
       const regex = new RegExp(logicPattern.pattern.source, logicPattern.pattern.flags)
-      
+
       if (regex.test(line)) {
+        // Special handling for redirect patterns - check if it's actually a React state setter
+        if (logicPattern.name === 'Open redirect vulnerability') {
+          if (isReactStateSetter(line)) {
+            // This is a React state setter like setState(), not a redirect
+            continue
+          }
+          if (!isActualRedirect(line)) {
+            // This doesn't look like an actual redirect function
+            continue
+          }
+        }
+
         vulnerabilities.push({
           id: `logic-${filePath}-${index + 1}-${logicPattern.name}`,
           filePath,
@@ -167,13 +182,41 @@ export function detectLogicGates(
           description: logicPattern.description,
           suggestedFix: logicPattern.suggestedFix,
           confidence: 'medium',
+          baseConfidence: BASE_CONFIDENCE,
           layer: 2,
+        source: 'structural' as const,
         })
         break // Only report once per line
       }
     }
   })
 
+  // Smart comment analysis for disabled auth patterns
+  // Only flag comments that are genuinely disabled code, not explanatory comments
+  lines.forEach((line, index) => {
+    // Check if this is a comment line with auth-related content
+    if (isComment(line) && /auth|permission|verify|check|token/i.test(line)) {
+      // Use smart analysis to determine if this is disabled code
+      if (isDisabledAuthComment(lines, index)) {
+        vulnerabilities.push({
+          id: `logic-${filePath}-${index + 1}-commented-auth-check`,
+          filePath,
+          lineNumber: index + 1,
+          lineContent: line.trim(),
+          severity: 'high',
+          category: 'security_bypass',
+          title: 'Commented auth check',
+          description: 'Commented out authentication/authorization code detected. This may indicate disabled security controls.',
+          suggestedFix: 'Remove commented code or restore the security check',
+          confidence: 'medium',
+          baseConfidence: BASE_CONFIDENCE,
+          layer: 2,
+        source: 'structural' as const,
+        })
+      }
+    }
+  })
+
   // Multi-line pattern detection (for more complex patterns)
   const multiLineFindings = detectMultiLinePatterns(content, filePath)
   vulnerabilities.push(...multiLineFindings)
@@ -203,7 +246,9 @@ function detectMultiLinePatterns(content: string, filePath: string): Vulnerabili
       description: 'Try-catch block with minimal error handling may hide security issues',
       suggestedFix: 'Log errors appropriately and handle them based on type',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
   }
 

package/src/{layer2 → detect/structural}/risky-imports.ts

@@ -3,8 +3,11 @@
  * Detects imports of packages known to have security concerns or deprecated
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
-import { isScannerOrFixtureFile } from '../utils/context-helpers'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import { isScannerOrFixtureFile } from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.20
 
 interface RiskyPackage {
   name: string
@@ -152,14 +155,15 @@ function isComment(line: string): boolean {
 
 export function detectRiskyImports(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
   // Skip scanner/fixture files to avoid self-detection
   if (isScannerOrFixtureFile(filePath)) return vulnerabilities
 
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
 
   lines.forEach((line, index) => {
     // Skip comment lines
@@ -180,7 +184,9 @@ export function detectRiskyImports(
           description: pkg.description,
           suggestedFix: pkg.suggestedFix,
           confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
           layer: 2,
+        source: 'structural' as const,
         })
         break // Only report once per line
       }

package/src/detect/structural/security-headers.ts

@@ -0,0 +1,231 @@
+/**
+ * Layer 2: Security Headers Detector
+ * Detects missing HTTP security headers in server configurations
+ *
+ * OWASP A02:2021 - Cryptographic Failures / Security Misconfiguration
+ * CWE-693: Protection Mechanism Failure
+ */
+
+import type { Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import {
+  isTestOrMockFile,
+  isScannerOrFixtureFile,
+} from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.35
+
+interface SecurityHeadersOptions {
+  parsed?: ParsedFile
+}
+
+/**
+ * Check if a file is client-side (not a server file)
+ */
+function isClientSideFile(content: string, filePath: string): boolean {
+  // Explicit 'use client' directive
+  if (/['"]use client['"]/.test(content)) return true
+
+  // Client-side file paths
+  const clientPatterns = [
+    /\/components\//i,
+    /\/hooks\//i,
+    /\/pages\/(?!api\/)/i, // pages/ but not pages/api/
+    /\.client\.(ts|js|tsx|jsx)$/i,
+  ]
+
+  // Only apply path heuristics if no server indicators
+  if (clientPatterns.some(p => p.test(filePath))) {
+    // Check for server indicators that override
+    const hasServerIndicators =
+      content.includes('express()') ||
+      content.includes("require('express')") ||
+      content.includes('from \'express\'') ||
+      content.includes('from "express"') ||
+      content.includes('createServer') ||
+      /['"]use server['"]/.test(content)
+    if (!hasServerIndicators) return true
+  }
+
+  return false
+}
+
+/**
+ * Check if a file is a Next.js config file
+ */
+function isNextConfig(filePath: string): boolean {
+  return /next\.config\.(m?js|ts)$/.test(filePath)
+}
+
+/**
+ * Detect missing security headers in server configurations
+ */
+export function detectSecurityHeaders(
+  content: string,
+  filePath: string,
+  options?: SecurityHeadersOptions
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+  if (isTestOrMockFile(filePath)) return vulnerabilities
+  if (isClientSideFile(content, filePath)) return vulnerabilities
+
+  const lines = options?.parsed?.lines ?? content.split('\n')
+
+  // --- Check 1: Express without helmet ---
+  const hasExpress =
+    content.includes('express()') ||
+    /require\s*\(\s*['"]express['"]\s*\)/.test(content) ||
+    /from\s+['"]express['"]/.test(content)
+
+  if (hasExpress) {
+    const hasHelmet =
+      /require\s*\(\s*['"]helmet['"]\s*\)/.test(content) ||
+      /from\s+['"]helmet['"]/.test(content) ||
+      /require\s*\(\s*['"]@fastify\/helmet['"]\s*\)/.test(content) ||
+      /from\s+['"]@fastify\/helmet['"]/.test(content)
+
+    if (!hasHelmet) {
+      // Find the line where express() is called
+      let expressLine = 0
+      let expressContent = ''
+      for (let i = 0; i < lines.length; i++) {
+        if (/express\s*\(\s*\)/.test(lines[i])) {
+          expressLine = i + 1
+          expressContent = lines[i].trim()
+          break
+        }
+      }
+
+      if (expressLine > 0) {
+        vulnerabilities.push({
+          id: `secheader-${filePath}-express-no-helmet`,
+          filePath,
+          lineNumber: expressLine,
+          lineContent: expressContent,
+          severity: 'medium',
+          category: 'missing_security_headers',
+          title: 'Express app without helmet security headers',
+          description:
+            'Express application does not use helmet middleware. This leaves the app without critical HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).',
+          suggestedFix: 'Install and add helmet middleware: npm install helmet && app.use(helmet())',
+          confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
+          layer: 2,
+        source: 'structural' as const,
+          requiresAIValidation: true,
+        })
+      }
+    } else {
+      // --- Check 2: Helmet with CSP disabled ---
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i]
+        if (/contentSecurityPolicy\s*:\s*false/.test(line)) {
+          vulnerabilities.push({
+            id: `secheader-${filePath}-${i + 1}-csp-disabled`,
+            filePath,
+            lineNumber: i + 1,
+            lineContent: line.trim(),
+            severity: 'low',
+            category: 'missing_security_headers',
+            title: 'Helmet CSP disabled',
+            description:
+              'Content Security Policy is explicitly disabled in helmet configuration. CSP is a critical defense against XSS attacks.',
+            suggestedFix:
+              'Configure a Content Security Policy instead of disabling it: helmet({ contentSecurityPolicy: { directives: { ... } } })',
+            confidence: 'high',
+            baseConfidence: BASE_CONFIDENCE,
+            layer: 2,
+        source: 'structural' as const,
+          })
+        }
+      }
+    }
+  }
+
+  // --- Check 3: Next.js config missing headers ---
+  if (isNextConfig(filePath)) {
+    const hasHeadersExport =
+      /headers\s*\(\s*\)/.test(content) ||
+      /headers\s*:\s*(?:async\s*)?\(?\s*\)?\s*=>/.test(content) ||
+      /async\s+headers\s*\(\s*\)/.test(content)
+
+    if (!hasHeadersExport) {
+      vulnerabilities.push({
+        id: `secheader-${filePath}-nextjs-no-headers`,
+        filePath,
+        lineNumber: 1,
+        lineContent: lines[0]?.trim() || '',
+        severity: 'medium',
+        category: 'missing_security_headers',
+        title: 'Next.js config missing security headers',
+        description:
+          'next.config does not export a headers() function. Security headers (CSP, HSTS, X-Frame-Options) should be configured in Next.js config or middleware.',
+        suggestedFix:
+          'Add a headers() function to next.config.js that returns security headers array',
+        confidence: 'medium',
+        baseConfidence: BASE_CONFIDENCE,
+        layer: 2,
+        source: 'structural' as const,
+        requiresAIValidation: true,
+      })
+    }
+  }
+
+  // --- Check 4: Server setting some headers but missing critical ones ---
+  // Only check files that explicitly set response headers
+  const setsHeaders =
+    /res\.setHeader\s*\(/.test(content) ||
+    /response\.setHeader\s*\(/.test(content) ||
+    /res\.set\s*\(/.test(content) ||
+    /response\.headers\.set\s*\(/.test(content)
+
+  if (setsHeaders && !hasExpress) {
+    const criticalHeaders = [
+      { name: 'Content-Security-Policy', pattern: /content-security-policy/i },
+      { name: 'Strict-Transport-Security', pattern: /strict-transport-security/i },
+      { name: 'X-Content-Type-Options', pattern: /x-content-type-options/i },
+      { name: 'X-Frame-Options', pattern: /x-frame-options/i },
+    ]
+
+    const missingHeaders = criticalHeaders.filter(h => !h.pattern.test(content))
+
+    // Only flag if file sets SOME headers but omits critical ones
+    const presentHeaders = criticalHeaders.filter(h => h.pattern.test(content))
+    if (presentHeaders.length > 0 && missingHeaders.length > 0) {
+      // Find a line where headers are being set for reporting
+      let headerLine = 0
+      let headerContent = ''
+      for (let i = 0; i < lines.length; i++) {
+        if (/(?:res|response)\.(?:setHeader|set|headers\.set)\s*\(/.test(lines[i])) {
+          headerLine = i + 1
+          headerContent = lines[i].trim()
+          break
+        }
+      }
+
+      if (headerLine > 0) {
+        const missing = missingHeaders.map(h => h.name).join(', ')
+        vulnerabilities.push({
+          id: `secheader-${filePath}-${headerLine}-missing-headers`,
+          filePath,
+          lineNumber: headerLine,
+          lineContent: headerContent,
+          severity: 'low',
+          category: 'missing_security_headers',
+          title: 'Incomplete security headers',
+          description: `Server sets some response headers but is missing: ${missing}. Consider adding these critical security headers.`,
+          suggestedFix: `Add missing security headers: ${missing}`,
+          confidence: 'medium',
+          baseConfidence: BASE_CONFIDENCE,
+          layer: 2,
+        source: 'structural' as const,
+          requiresAIValidation: true,
+        })
+      }
+    }
+  }
+
+  return vulnerabilities
+}