@oculum/scanner 1.0.11 → 1.0.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/ai-context/index.d.ts +6 -0
- package/dist/ai-context/index.d.ts.map +1 -0
- package/dist/ai-context/index.js +13 -0
- package/dist/ai-context/index.js.map +1 -0
- package/dist/ai-context/manager.d.ts +67 -0
- package/dist/ai-context/manager.d.ts.map +1 -0
- package/dist/ai-context/manager.js +104 -0
- package/dist/ai-context/manager.js.map +1 -0
- package/dist/category-filter.d.ts +125 -0
- package/dist/category-filter.d.ts.map +1 -0
- package/dist/category-filter.js +360 -0
- package/dist/category-filter.js.map +1 -0
- package/dist/detect/ai-code/agent-tools.d.ts +22 -0
- package/dist/detect/ai-code/agent-tools.d.ts.map +1 -0
- package/dist/detect/ai-code/agent-tools.js +1509 -0
- package/dist/detect/ai-code/agent-tools.js.map +1 -0
- package/dist/detect/ai-code/byok-patterns.d.ts +15 -0
- package/dist/detect/ai-code/byok-patterns.d.ts.map +1 -0
- package/dist/detect/ai-code/byok-patterns.js +313 -0
- package/dist/detect/ai-code/byok-patterns.js.map +1 -0
- package/dist/detect/ai-code/endpoint-protection.d.ts +38 -0
- package/dist/detect/ai-code/endpoint-protection.d.ts.map +1 -0
- package/dist/detect/ai-code/endpoint-protection.js +349 -0
- package/dist/detect/ai-code/endpoint-protection.js.map +1 -0
- package/dist/detect/ai-code/execution-sinks.d.ts +21 -0
- package/dist/detect/ai-code/execution-sinks.d.ts.map +1 -0
- package/dist/detect/ai-code/execution-sinks.js +1158 -0
- package/dist/detect/ai-code/execution-sinks.js.map +1 -0
- package/dist/detect/ai-code/fingerprinting.d.ts +10 -0
- package/dist/detect/ai-code/fingerprinting.d.ts.map +1 -0
- package/dist/detect/ai-code/fingerprinting.js +665 -0
- package/dist/detect/ai-code/fingerprinting.js.map +1 -0
- package/dist/detect/ai-code/index.d.ts +12 -0
- package/dist/detect/ai-code/index.d.ts.map +1 -0
- package/dist/detect/ai-code/index.js +26 -0
- package/dist/detect/ai-code/index.js.map +1 -0
- package/dist/detect/ai-code/mcp-security.d.ts +20 -0
- package/dist/detect/ai-code/mcp-security.d.ts.map +1 -0
- package/dist/detect/ai-code/mcp-security.js +880 -0
- package/dist/detect/ai-code/mcp-security.js.map +1 -0
- package/dist/detect/ai-code/model-supply-chain.d.ts +23 -0
- package/dist/detect/ai-code/model-supply-chain.d.ts.map +1 -0
- package/dist/detect/ai-code/model-supply-chain.js +447 -0
- package/dist/detect/ai-code/model-supply-chain.js.map +1 -0
- package/dist/detect/ai-code/package-hallucination.d.ts +22 -0
- package/dist/detect/ai-code/package-hallucination.d.ts.map +1 -0
- package/dist/detect/ai-code/package-hallucination.js +841 -0
- package/dist/detect/ai-code/package-hallucination.js.map +1 -0
- package/dist/detect/ai-code/prompt-hygiene.d.ts +22 -0
- package/dist/detect/ai-code/prompt-hygiene.d.ts.map +1 -0
- package/dist/detect/ai-code/prompt-hygiene.js +1177 -0
- package/dist/detect/ai-code/prompt-hygiene.js.map +1 -0
- package/dist/detect/ai-code/rag-safety.d.ts +24 -0
- package/dist/detect/ai-code/rag-safety.d.ts.map +1 -0
- package/dist/detect/ai-code/rag-safety.js +913 -0
- package/dist/detect/ai-code/rag-safety.js.map +1 -0
- package/dist/detect/ai-code/schema-validation.d.ts +28 -0
- package/dist/detect/ai-code/schema-validation.d.ts.map +1 -0
- package/dist/detect/ai-code/schema-validation.js +378 -0
- package/dist/detect/ai-code/schema-validation.js.map +1 -0
- package/dist/detect/config/agent-skill-injection.d.ts +27 -0
- package/dist/detect/config/agent-skill-injection.d.ts.map +1 -0
- package/dist/detect/config/agent-skill-injection.js +472 -0
- package/dist/detect/config/agent-skill-injection.js.map +1 -0
- package/dist/detect/config/comments.d.ts +11 -0
- package/dist/detect/config/comments.d.ts.map +1 -0
- package/dist/detect/config/comments.js +206 -0
- package/dist/detect/config/comments.js.map +1 -0
- package/dist/detect/config/file-flags.d.ts +10 -0
- package/dist/detect/config/file-flags.d.ts.map +1 -0
- package/dist/detect/config/file-flags.js +124 -0
- package/dist/detect/config/file-flags.js.map +1 -0
- package/dist/detect/config/index.d.ts +7 -0
- package/dist/detect/config/index.d.ts.map +1 -0
- package/dist/detect/config/index.js +17 -0
- package/dist/detect/config/index.js.map +1 -0
- package/dist/detect/config/osv-check.d.ts +75 -0
- package/dist/detect/config/osv-check.d.ts.map +1 -0
- package/dist/detect/config/osv-check.js +309 -0
- package/dist/detect/config/osv-check.js.map +1 -0
- package/dist/detect/config/package-check.d.ts +63 -0
- package/dist/detect/config/package-check.d.ts.map +1 -0
- package/dist/detect/config/package-check.js +509 -0
- package/dist/detect/config/package-check.js.map +1 -0
- package/dist/detect/config/urls.d.ts +11 -0
- package/dist/detect/config/urls.d.ts.map +1 -0
- package/dist/detect/config/urls.js +450 -0
- package/dist/detect/config/urls.js.map +1 -0
- package/dist/detect/index.d.ts +37 -0
- package/dist/detect/index.d.ts.map +1 -0
- package/dist/detect/index.js +77 -0
- package/dist/detect/index.js.map +1 -0
- package/dist/detect/secrets/config-audit.d.ts +11 -0
- package/dist/detect/secrets/config-audit.d.ts.map +1 -0
- package/dist/detect/secrets/config-audit.js +315 -0
- package/dist/detect/secrets/config-audit.js.map +1 -0
- package/dist/detect/secrets/config-mcp-audit.d.ts +23 -0
- package/dist/detect/secrets/config-mcp-audit.d.ts.map +1 -0
- package/dist/detect/secrets/config-mcp-audit.js +243 -0
- package/dist/detect/secrets/config-mcp-audit.js.map +1 -0
- package/dist/detect/secrets/entropy.d.ts +11 -0
- package/dist/detect/secrets/entropy.d.ts.map +1 -0
- package/dist/detect/secrets/entropy.js +751 -0
- package/dist/detect/secrets/entropy.js.map +1 -0
- package/dist/detect/secrets/index.d.ts +36 -0
- package/dist/detect/secrets/index.d.ts.map +1 -0
- package/dist/detect/secrets/index.js +174 -0
- package/dist/detect/secrets/index.js.map +1 -0
- package/dist/detect/secrets/patterns.d.ts +11 -0
- package/dist/detect/secrets/patterns.d.ts.map +1 -0
- package/dist/detect/secrets/patterns.js +518 -0
- package/dist/detect/secrets/patterns.js.map +1 -0
- package/dist/detect/secrets/weak-crypto.d.ts +10 -0
- package/dist/detect/secrets/weak-crypto.d.ts.map +1 -0
- package/dist/detect/secrets/weak-crypto.js +432 -0
- package/dist/detect/secrets/weak-crypto.js.map +1 -0
- package/dist/detect/structural/auth-patterns.d.ts +22 -0
- package/dist/detect/structural/auth-patterns.d.ts.map +1 -0
- package/dist/detect/structural/auth-patterns.js +533 -0
- package/dist/detect/structural/auth-patterns.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/child-process.d.ts +16 -0
- package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/child-process.js +74 -0
- package/dist/detect/structural/dangerous-functions/child-process.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +34 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.js +230 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/index.d.ts +16 -0
- package/dist/detect/structural/dangerous-functions/index.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/index.js +1193 -0
- package/dist/detect/structural/dangerous-functions/index.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts +31 -0
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/json-parse.js +326 -0
- package/dist/detect/structural/dangerous-functions/json-parse.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/math-random.d.ts +111 -0
- package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/math-random.js +684 -0
- package/dist/detect/structural/dangerous-functions/math-random.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/patterns.d.ts +21 -0
- package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/patterns.js +163 -0
- package/dist/detect/structural/dangerous-functions/patterns.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts +13 -0
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/request-validation.js +126 -0
- package/dist/detect/structural/dangerous-functions/request-validation.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +24 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js +70 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +31 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.js +147 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts +9 -0
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/index.js +23 -0
- package/dist/detect/structural/dangerous-functions/utils/index.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +22 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +102 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +1 -0
- package/dist/detect/structural/data-exposure.d.ts +19 -0
- package/dist/detect/structural/data-exposure.d.ts.map +1 -0
- package/dist/detect/structural/data-exposure.js +262 -0
- package/dist/detect/structural/data-exposure.js.map +1 -0
- package/dist/detect/structural/framework-checks.d.ts +10 -0
- package/dist/detect/structural/framework-checks.d.ts.map +1 -0
- package/dist/detect/structural/framework-checks.js +389 -0
- package/dist/detect/structural/framework-checks.js.map +1 -0
- package/dist/detect/structural/index.d.ts +71 -0
- package/dist/detect/structural/index.d.ts.map +1 -0
- package/dist/detect/structural/index.js +510 -0
- package/dist/detect/structural/index.js.map +1 -0
- package/dist/detect/structural/log-injection.d.ts +18 -0
- package/dist/detect/structural/log-injection.d.ts.map +1 -0
- package/dist/detect/structural/log-injection.js +217 -0
- package/dist/detect/structural/log-injection.js.map +1 -0
- package/dist/detect/structural/logic-gates.d.ts +10 -0
- package/dist/detect/structural/logic-gates.d.ts.map +1 -0
- package/dist/detect/structural/logic-gates.js +227 -0
- package/dist/detect/structural/logic-gates.js.map +1 -0
- package/dist/detect/structural/risky-imports.d.ts +10 -0
- package/dist/detect/structural/risky-imports.d.ts.map +1 -0
- package/dist/detect/structural/risky-imports.js +168 -0
- package/dist/detect/structural/risky-imports.js.map +1 -0
- package/dist/detect/structural/security-headers.d.ts +18 -0
- package/dist/detect/structural/security-headers.d.ts.map +1 -0
- package/dist/detect/structural/security-headers.js +196 -0
- package/dist/detect/structural/security-headers.js.map +1 -0
- package/dist/detect/structural/ssrf-detection.d.ts +18 -0
- package/dist/detect/structural/ssrf-detection.d.ts.map +1 -0
- package/dist/detect/structural/ssrf-detection.js +263 -0
- package/dist/detect/structural/ssrf-detection.js.map +1 -0
- package/dist/detect/structural/variables.d.ts +11 -0
- package/dist/detect/structural/variables.d.ts.map +1 -0
- package/dist/detect/structural/variables.js +159 -0
- package/dist/detect/structural/variables.js.map +1 -0
- package/dist/detect/structural/xxe-detection.d.ts +18 -0
- package/dist/detect/structural/xxe-detection.d.ts.map +1 -0
- package/dist/detect/structural/xxe-detection.js +245 -0
- package/dist/detect/structural/xxe-detection.js.map +1 -0
- package/dist/filtering/context-adjustments.d.ts +23 -0
- package/dist/filtering/context-adjustments.d.ts.map +1 -0
- package/dist/filtering/context-adjustments.js +100 -0
- package/dist/filtering/context-adjustments.js.map +1 -0
- package/dist/filtering/index.d.ts +3 -0
- package/dist/filtering/index.d.ts.map +1 -0
- package/dist/filtering/index.js +8 -0
- package/dist/filtering/index.js.map +1 -0
- package/dist/filtering/pipeline.d.ts +48 -0
- package/dist/filtering/pipeline.d.ts.map +1 -0
- package/dist/filtering/pipeline.js +76 -0
- package/dist/filtering/pipeline.js.map +1 -0
- package/dist/formatters/ai-context.d.ts +23 -0
- package/dist/formatters/ai-context.d.ts.map +1 -0
- package/dist/formatters/ai-context.js +238 -0
- package/dist/formatters/ai-context.js.map +1 -0
- package/dist/formatters/github-comment.d.ts +1 -1
- package/dist/formatters/github-comment.d.ts.map +1 -1
- package/dist/formatters/github-comment.js +2 -2
- package/dist/formatters/github-comment.js.map +1 -1
- package/dist/formatters/ide/claude-code.d.ts +17 -0
- package/dist/formatters/ide/claude-code.d.ts.map +1 -0
- package/dist/formatters/ide/claude-code.js +94 -0
- package/dist/formatters/ide/claude-code.js.map +1 -0
- package/dist/formatters/ide/cursor.d.ts +13 -0
- package/dist/formatters/ide/cursor.d.ts.map +1 -0
- package/dist/formatters/ide/cursor.js +125 -0
- package/dist/formatters/ide/cursor.js.map +1 -0
- package/dist/formatters/ide/index.d.ts +62 -0
- package/dist/formatters/ide/index.d.ts.map +1 -0
- package/dist/formatters/ide/index.js +184 -0
- package/dist/formatters/ide/index.js.map +1 -0
- package/dist/formatters/ide/windsurf.d.ts +13 -0
- package/dist/formatters/ide/windsurf.d.ts.map +1 -0
- package/dist/formatters/ide/windsurf.js +117 -0
- package/dist/formatters/ide/windsurf.js.map +1 -0
- package/dist/formatters/index.d.ts +2 -0
- package/dist/formatters/index.d.ts.map +1 -1
- package/dist/formatters/index.js +17 -1
- package/dist/formatters/index.js.map +1 -1
- package/dist/index.d.ts +17 -60
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +67 -824
- package/dist/index.js.map +1 -1
- package/dist/layer1/comments.d.ts +4 -1
- package/dist/layer1/comments.d.ts.map +1 -1
- package/dist/layer1/comments.js +1 -1
- package/dist/layer1/comments.js.map +1 -1
- package/dist/layer1/config-audit.d.ts +4 -1
- package/dist/layer1/config-audit.d.ts.map +1 -1
- package/dist/layer1/config-audit.js +45 -11
- package/dist/layer1/config-audit.js.map +1 -1
- package/dist/layer1/config-mcp-audit.d.ts +4 -1
- package/dist/layer1/config-mcp-audit.d.ts.map +1 -1
- package/dist/layer1/config-mcp-audit.js +2 -2
- package/dist/layer1/config-mcp-audit.js.map +1 -1
- package/dist/layer1/entropy.d.ts +4 -1
- package/dist/layer1/entropy.d.ts.map +1 -1
- package/dist/layer1/entropy.js +212 -1
- package/dist/layer1/entropy.js.map +1 -1
- package/dist/layer1/file-flags.d.ts +4 -1
- package/dist/layer1/file-flags.d.ts.map +1 -1
- package/dist/layer1/file-flags.js +12 -5
- package/dist/layer1/file-flags.js.map +1 -1
- package/dist/layer1/index.d.ts.map +1 -1
- package/dist/layer1/index.js +14 -19
- package/dist/layer1/index.js.map +1 -1
- package/dist/layer1/patterns.d.ts +4 -1
- package/dist/layer1/patterns.d.ts.map +1 -1
- package/dist/layer1/patterns.js +34 -4
- package/dist/layer1/patterns.js.map +1 -1
- package/dist/layer1/urls.d.ts +4 -1
- package/dist/layer1/urls.d.ts.map +1 -1
- package/dist/layer1/urls.js +162 -14
- package/dist/layer1/urls.js.map +1 -1
- package/dist/layer1/weak-crypto.d.ts +4 -1
- package/dist/layer1/weak-crypto.d.ts.map +1 -1
- package/dist/layer1/weak-crypto.js +144 -7
- package/dist/layer1/weak-crypto.js.map +1 -1
- package/dist/layer2/ai-agent-tools.d.ts +4 -1
- package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
- package/dist/layer2/ai-agent-tools.js +661 -2
- package/dist/layer2/ai-agent-tools.js.map +1 -1
- package/dist/layer2/ai-endpoint-protection.d.ts +2 -0
- package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
- package/dist/layer2/ai-endpoint-protection.js +1 -1
- package/dist/layer2/ai-endpoint-protection.js.map +1 -1
- package/dist/layer2/ai-execution-sinks.d.ts +4 -1
- package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
- package/dist/layer2/ai-execution-sinks.js +252 -43
- package/dist/layer2/ai-execution-sinks.js.map +1 -1
- package/dist/layer2/ai-fingerprinting.d.ts +4 -1
- package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
- package/dist/layer2/ai-fingerprinting.js +25 -32
- package/dist/layer2/ai-fingerprinting.js.map +1 -1
- package/dist/layer2/ai-mcp-security.d.ts +4 -1
- package/dist/layer2/ai-mcp-security.d.ts.map +1 -1
- package/dist/layer2/ai-mcp-security.js +200 -2
- package/dist/layer2/ai-mcp-security.js.map +1 -1
- package/dist/layer2/ai-package-hallucination.d.ts +4 -1
- package/dist/layer2/ai-package-hallucination.d.ts.map +1 -1
- package/dist/layer2/ai-package-hallucination.js +136 -4
- package/dist/layer2/ai-package-hallucination.js.map +1 -1
- package/dist/layer2/ai-prompt-hygiene.d.ts +4 -1
- package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
- package/dist/layer2/ai-prompt-hygiene.js +342 -28
- package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
- package/dist/layer2/ai-rag-safety.d.ts +4 -1
- package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
- package/dist/layer2/ai-rag-safety.js +82 -2
- package/dist/layer2/ai-rag-safety.js.map +1 -1
- package/dist/layer2/ai-schema-validation.d.ts +4 -1
- package/dist/layer2/ai-schema-validation.d.ts.map +1 -1
- package/dist/layer2/ai-schema-validation.js +2 -2
- package/dist/layer2/ai-schema-validation.js.map +1 -1
- package/dist/layer2/auth-antipatterns.d.ts +2 -0
- package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
- package/dist/layer2/auth-antipatterns.js +205 -20
- package/dist/layer2/auth-antipatterns.js.map +1 -1
- package/dist/layer2/byok-patterns.d.ts +4 -1
- package/dist/layer2/byok-patterns.d.ts.map +1 -1
- package/dist/layer2/byok-patterns.js +2 -2
- package/dist/layer2/byok-patterns.js.map +1 -1
- package/dist/layer2/dangerous-functions/dom-xss.d.ts +9 -4
- package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/dom-xss.js +73 -22
- package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -1
- package/dist/layer2/dangerous-functions/index.d.ts +4 -1
- package/dist/layer2/dangerous-functions/index.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/index.js +551 -20
- package/dist/layer2/dangerous-functions/index.js.map +1 -1
- package/dist/layer2/dangerous-functions/math-random.d.ts +54 -4
- package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/math-random.js +241 -16
- package/dist/layer2/dangerous-functions/math-random.js.map +1 -1
- package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/patterns.js +3 -1
- package/dist/layer2/dangerous-functions/patterns.js.map +1 -1
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +3 -2
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/utils/control-flow.js +41 -120
- package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -1
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/utils/helpers.js +26 -3
- package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.js +14 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -1
- package/dist/layer2/data-exposure.d.ts +4 -1
- package/dist/layer2/data-exposure.d.ts.map +1 -1
- package/dist/layer2/data-exposure.js +11 -38
- package/dist/layer2/data-exposure.js.map +1 -1
- package/dist/layer2/framework-checks.d.ts +4 -1
- package/dist/layer2/framework-checks.d.ts.map +1 -1
- package/dist/layer2/framework-checks.js +3 -10
- package/dist/layer2/framework-checks.js.map +1 -1
- package/dist/layer2/index.d.ts +13 -1
- package/dist/layer2/index.d.ts.map +1 -1
- package/dist/layer2/index.js +107 -52
- package/dist/layer2/index.js.map +1 -1
- package/dist/layer2/log-injection.d.ts +18 -0
- package/dist/layer2/log-injection.d.ts.map +1 -0
- package/dist/layer2/log-injection.js +214 -0
- package/dist/layer2/log-injection.js.map +1 -0
- package/dist/layer2/logic-gates.d.ts +4 -1
- package/dist/layer2/logic-gates.d.ts.map +1 -1
- package/dist/layer2/logic-gates.js +54 -20
- package/dist/layer2/logic-gates.js.map +1 -1
- package/dist/layer2/model-supply-chain.d.ts +4 -1
- package/dist/layer2/model-supply-chain.d.ts.map +1 -1
- package/dist/layer2/model-supply-chain.js +72 -4
- package/dist/layer2/model-supply-chain.js.map +1 -1
- package/dist/layer2/risky-imports.d.ts +4 -1
- package/dist/layer2/risky-imports.d.ts.map +1 -1
- package/dist/layer2/risky-imports.js +2 -2
- package/dist/layer2/risky-imports.js.map +1 -1
- package/dist/layer2/security-headers.d.ts +18 -0
- package/dist/layer2/security-headers.d.ts.map +1 -0
- package/dist/layer2/security-headers.js +187 -0
- package/dist/layer2/security-headers.js.map +1 -0
- package/dist/layer2/ssrf-detection.d.ts +18 -0
- package/dist/layer2/ssrf-detection.d.ts.map +1 -0
- package/dist/layer2/ssrf-detection.js +252 -0
- package/dist/layer2/ssrf-detection.js.map +1 -0
- package/dist/layer2/variables.d.ts +4 -1
- package/dist/layer2/variables.d.ts.map +1 -1
- package/dist/layer2/variables.js +2 -2
- package/dist/layer2/variables.js.map +1 -1
- package/dist/layer2/xxe-detection.d.ts +18 -0
- package/dist/layer2/xxe-detection.d.ts.map +1 -0
- package/dist/layer2/xxe-detection.js +242 -0
- package/dist/layer2/xxe-detection.js.map +1 -0
- package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -1
- package/dist/layer3/anthropic/auto-dismiss.js +11 -0
- package/dist/layer3/anthropic/auto-dismiss.js.map +1 -1
- package/dist/layer3/anthropic/prompts/index.d.ts +1 -1
- package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -1
- package/dist/layer3/anthropic/prompts/index.js +3 -1
- package/dist/layer3/anthropic/prompts/index.js.map +1 -1
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +19 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +156 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +9 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.js +25 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/common.d.ts +11 -0
- package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/common.js +152 -0
- package/dist/layer3/anthropic/prompts/modules/common.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/index.d.ts +54 -0
- package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/index.js +185 -0
- package/dist/layer3/anthropic/prompts/modules/index.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +84 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +68 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +22 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +1 -0
- package/dist/layer3/anthropic/prompts/validation.d.ts +9 -3
- package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -1
- package/dist/layer3/anthropic/prompts/validation.js +14 -410
- package/dist/layer3/anthropic/prompts/validation.js.map +1 -1
- package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -1
- package/dist/layer3/anthropic/providers/anthropic.js +6 -3
- package/dist/layer3/anthropic/providers/anthropic.js.map +1 -1
- package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -1
- package/dist/layer3/anthropic/providers/openai.js +6 -3
- package/dist/layer3/anthropic/providers/openai.js.map +1 -1
- package/dist/layer3/anthropic/request-builder.d.ts +11 -4
- package/dist/layer3/anthropic/request-builder.d.ts.map +1 -1
- package/dist/layer3/anthropic/request-builder.js +32 -16
- package/dist/layer3/anthropic/request-builder.js.map +1 -1
- package/dist/layer3/anthropic/utils/context-extractor.d.ts +55 -0
- package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/context-extractor.js +161 -0
- package/dist/layer3/anthropic/utils/context-extractor.js.map +1 -0
- package/dist/layer3/anthropic/utils/index.d.ts +2 -0
- package/dist/layer3/anthropic/utils/index.d.ts.map +1 -1
- package/dist/layer3/anthropic/utils/index.js +4 -1
- package/dist/layer3/anthropic/utils/index.js.map +1 -1
- package/dist/model/auth-helper-detector.d.ts +56 -0
- package/dist/model/auth-helper-detector.d.ts.map +1 -0
- package/dist/model/auth-helper-detector.js +360 -0
- package/dist/model/auth-helper-detector.js.map +1 -0
- package/dist/model/cross-file-taint.d.ts +40 -0
- package/dist/model/cross-file-taint.d.ts.map +1 -0
- package/dist/model/cross-file-taint.js +290 -0
- package/dist/model/cross-file-taint.js.map +1 -0
- package/dist/model/framework-models/django.d.ts +9 -0
- package/dist/model/framework-models/django.d.ts.map +1 -0
- package/dist/model/framework-models/django.js +82 -0
- package/dist/model/framework-models/django.js.map +1 -0
- package/dist/model/framework-models/express.d.ts +9 -0
- package/dist/model/framework-models/express.d.ts.map +1 -0
- package/dist/model/framework-models/express.js +52 -0
- package/dist/model/framework-models/express.js.map +1 -0
- package/dist/model/framework-models/index.d.ts +20 -0
- package/dist/model/framework-models/index.d.ts.map +1 -0
- package/dist/model/framework-models/index.js +102 -0
- package/dist/model/framework-models/index.js.map +1 -0
- package/dist/model/framework-models/nextjs.d.ts +9 -0
- package/dist/model/framework-models/nextjs.d.ts.map +1 -0
- package/dist/model/framework-models/nextjs.js +71 -0
- package/dist/model/framework-models/nextjs.js.map +1 -0
- package/dist/model/framework-models/prisma.d.ts +10 -0
- package/dist/model/framework-models/prisma.d.ts.map +1 -0
- package/dist/model/framework-models/prisma.js +54 -0
- package/dist/model/framework-models/prisma.js.map +1 -0
- package/dist/model/framework-models/react.d.ts +9 -0
- package/dist/model/framework-models/react.d.ts.map +1 -0
- package/dist/model/framework-models/react.js +67 -0
- package/dist/model/framework-models/react.js.map +1 -0
- package/dist/model/framework-models/sequelize.d.ts +9 -0
- package/dist/model/framework-models/sequelize.d.ts.map +1 -0
- package/dist/model/framework-models/sequelize.js +62 -0
- package/dist/model/framework-models/sequelize.js.map +1 -0
- package/dist/model/framework-models/types.d.ts +43 -0
- package/dist/model/framework-models/types.d.ts.map +1 -0
- package/dist/model/framework-models/types.js +10 -0
- package/dist/model/framework-models/types.js.map +1 -0
- package/dist/model/function-classifier.d.ts +32 -0
- package/dist/model/function-classifier.d.ts.map +1 -0
- package/dist/model/function-classifier.js +143 -0
- package/dist/model/function-classifier.js.map +1 -0
- package/dist/model/import-resolver.d.ts +45 -0
- package/dist/model/import-resolver.d.ts.map +1 -0
- package/dist/model/import-resolver.js +410 -0
- package/dist/model/import-resolver.js.map +1 -0
- package/dist/model/imported-auth-detector.d.ts +38 -0
- package/dist/model/imported-auth-detector.d.ts.map +1 -0
- package/dist/model/imported-auth-detector.js +199 -0
- package/dist/model/imported-auth-detector.js.map +1 -0
- package/dist/model/index.d.ts +63 -0
- package/dist/model/index.d.ts.map +1 -0
- package/dist/model/index.js +272 -0
- package/dist/model/index.js.map +1 -0
- package/dist/model/middleware-detector.d.ts +55 -0
- package/dist/model/middleware-detector.d.ts.map +1 -0
- package/dist/model/middleware-detector.js +382 -0
- package/dist/model/middleware-detector.js.map +1 -0
- package/dist/model/module-graph.d.ts +46 -0
- package/dist/model/module-graph.d.ts.map +1 -0
- package/dist/model/module-graph.js +187 -0
- package/dist/model/module-graph.js.map +1 -0
- package/dist/model/oauth-flow-detector.d.ts +41 -0
- package/dist/model/oauth-flow-detector.d.ts.map +1 -0
- package/dist/model/oauth-flow-detector.js +202 -0
- package/dist/model/oauth-flow-detector.js.map +1 -0
- package/dist/model/project-context.d.ts +119 -0
- package/dist/model/project-context.d.ts.map +1 -0
- package/dist/model/project-context.js +534 -0
- package/dist/model/project-context.js.map +1 -0
- package/dist/model/route-auth-resolver.d.ts +27 -0
- package/dist/model/route-auth-resolver.d.ts.map +1 -0
- package/dist/model/route-auth-resolver.js +182 -0
- package/dist/model/route-auth-resolver.js.map +1 -0
- package/dist/model/route-discovery/express.d.ts +25 -0
- package/dist/model/route-discovery/express.d.ts.map +1 -0
- package/dist/model/route-discovery/express.js +225 -0
- package/dist/model/route-discovery/express.js.map +1 -0
- package/dist/model/route-discovery/index.d.ts +21 -0
- package/dist/model/route-discovery/index.d.ts.map +1 -0
- package/dist/model/route-discovery/index.js +67 -0
- package/dist/model/route-discovery/index.js.map +1 -0
- package/dist/model/route-discovery/nextjs.d.ts +16 -0
- package/dist/model/route-discovery/nextjs.d.ts.map +1 -0
- package/dist/model/route-discovery/nextjs.js +179 -0
- package/dist/model/route-discovery/nextjs.js.map +1 -0
- package/dist/model/route-discovery/python.d.ts +16 -0
- package/dist/model/route-discovery/python.d.ts.map +1 -0
- package/dist/model/route-discovery/python.js +181 -0
- package/dist/model/route-discovery/python.js.map +1 -0
- package/dist/model/route-discovery/types.d.ts +36 -0
- package/dist/model/route-discovery/types.d.ts.map +1 -0
- package/dist/model/route-discovery/types.js +16 -0
- package/dist/model/route-discovery/types.js.map +1 -0
- package/dist/model/route-discovery/utils.d.ts +18 -0
- package/dist/model/route-discovery/utils.d.ts.map +1 -0
- package/dist/model/route-discovery/utils.js +55 -0
- package/dist/model/route-discovery/utils.js.map +1 -0
- package/dist/model/route-hierarchy.d.ts +50 -0
- package/dist/model/route-hierarchy.d.ts.map +1 -0
- package/dist/model/route-hierarchy.js +226 -0
- package/dist/model/route-hierarchy.js.map +1 -0
- package/dist/model/sanitiser-detection.d.ts +27 -0
- package/dist/model/sanitiser-detection.d.ts.map +1 -0
- package/dist/model/sanitiser-detection.js +224 -0
- package/dist/model/sanitiser-detection.js.map +1 -0
- package/dist/model/sink-matcher.d.ts +17 -0
- package/dist/model/sink-matcher.d.ts.map +1 -0
- package/dist/model/sink-matcher.js +141 -0
- package/dist/model/sink-matcher.js.map +1 -0
- package/dist/model/sink-patterns.d.ts +19 -0
- package/dist/model/sink-patterns.d.ts.map +1 -0
- package/dist/model/sink-patterns.js +88 -0
- package/dist/model/sink-patterns.js.map +1 -0
- package/dist/model/source-discovery.d.ts +15 -0
- package/dist/model/source-discovery.d.ts.map +1 -0
- package/dist/model/source-discovery.js +170 -0
- package/dist/model/source-discovery.js.map +1 -0
- package/dist/model/taint-tracker.d.ts +21 -0
- package/dist/model/taint-tracker.d.ts.map +1 -0
- package/dist/model/taint-tracker.js +281 -0
- package/dist/model/taint-tracker.js.map +1 -0
- package/dist/model/taint-types.d.ts +74 -0
- package/dist/model/taint-types.d.ts.map +1 -0
- package/dist/model/taint-types.js +9 -0
- package/dist/model/taint-types.js.map +1 -0
- package/dist/model/trpc-analyzer.d.ts +78 -0
- package/dist/model/trpc-analyzer.d.ts.map +1 -0
- package/dist/model/trpc-analyzer.js +297 -0
- package/dist/model/trpc-analyzer.js.map +1 -0
- package/dist/modes/incremental.js +1 -1
- package/dist/parse/file-classifier.d.ts +228 -0
- package/dist/parse/file-classifier.d.ts.map +1 -0
- package/dist/parse/file-classifier.js +933 -0
- package/dist/parse/file-classifier.js.map +1 -0
- package/dist/parse/path-exclusions.d.ts +55 -0
- package/dist/parse/path-exclusions.d.ts.map +1 -0
- package/dist/parse/path-exclusions.js +224 -0
- package/dist/parse/path-exclusions.js.map +1 -0
- package/dist/pipeline/config.d.ts +39 -0
- package/dist/pipeline/config.d.ts.map +1 -0
- package/dist/pipeline/config.js +46 -0
- package/dist/pipeline/config.js.map +1 -0
- package/dist/pipeline/index.d.ts +34 -0
- package/dist/pipeline/index.d.ts.map +1 -0
- package/dist/pipeline/index.js +377 -0
- package/dist/pipeline/index.js.map +1 -0
- package/dist/pipeline/modes/incremental.d.ts +66 -0
- package/dist/pipeline/modes/incremental.d.ts.map +1 -0
- package/dist/pipeline/modes/incremental.js +200 -0
- package/dist/pipeline/modes/incremental.js.map +1 -0
- package/dist/postprocess/aggregation.d.ts +14 -0
- package/dist/postprocess/aggregation.d.ts.map +1 -0
- package/dist/postprocess/aggregation.js +63 -0
- package/dist/postprocess/aggregation.js.map +1 -0
- package/dist/postprocess/contradictions.d.ts +18 -0
- package/dist/postprocess/contradictions.d.ts.map +1 -0
- package/dist/postprocess/contradictions.js +99 -0
- package/dist/postprocess/contradictions.js.map +1 -0
- package/dist/postprocess/dedup.d.ts +13 -0
- package/dist/postprocess/dedup.d.ts.map +1 -0
- package/dist/postprocess/dedup.js +58 -0
- package/dist/postprocess/dedup.js.map +1 -0
- package/dist/postprocess/filtering/context-adjustments.d.ts +23 -0
- package/dist/postprocess/filtering/context-adjustments.d.ts.map +1 -0
- package/dist/postprocess/filtering/context-adjustments.js +100 -0
- package/dist/postprocess/filtering/context-adjustments.js.map +1 -0
- package/dist/postprocess/filtering/index.d.ts +3 -0
- package/dist/postprocess/filtering/index.d.ts.map +1 -0
- package/dist/postprocess/filtering/index.js +8 -0
- package/dist/postprocess/filtering/index.js.map +1 -0
- package/dist/postprocess/filtering/pipeline.d.ts +48 -0
- package/dist/postprocess/filtering/pipeline.d.ts.map +1 -0
- package/dist/postprocess/filtering/pipeline.js +76 -0
- package/dist/postprocess/filtering/pipeline.js.map +1 -0
- package/dist/postprocess/index.d.ts +41 -0
- package/dist/postprocess/index.d.ts.map +1 -0
- package/dist/postprocess/index.js +85 -0
- package/dist/postprocess/index.js.map +1 -0
- package/dist/postprocess/suppression/config-loader.d.ts +74 -0
- package/dist/postprocess/suppression/config-loader.d.ts.map +1 -0
- package/dist/postprocess/suppression/config-loader.js +424 -0
- package/dist/postprocess/suppression/config-loader.js.map +1 -0
- package/dist/postprocess/suppression/hash.d.ts +48 -0
- package/dist/postprocess/suppression/hash.d.ts.map +1 -0
- package/dist/postprocess/suppression/hash.js +88 -0
- package/dist/postprocess/suppression/hash.js.map +1 -0
- package/dist/postprocess/suppression/index.d.ts +11 -0
- package/dist/postprocess/suppression/index.d.ts.map +1 -0
- package/dist/postprocess/suppression/index.js +39 -0
- package/dist/postprocess/suppression/index.js.map +1 -0
- package/dist/postprocess/suppression/inline-parser.d.ts +39 -0
- package/dist/postprocess/suppression/inline-parser.d.ts.map +1 -0
- package/dist/postprocess/suppression/inline-parser.js +218 -0
- package/dist/postprocess/suppression/inline-parser.js.map +1 -0
- package/dist/postprocess/suppression/manager.d.ts +94 -0
- package/dist/postprocess/suppression/manager.d.ts.map +1 -0
- package/dist/postprocess/suppression/manager.js +292 -0
- package/dist/postprocess/suppression/manager.js.map +1 -0
- package/dist/postprocess/suppression/types.d.ts +151 -0
- package/dist/postprocess/suppression/types.d.ts.map +1 -0
- package/dist/postprocess/suppression/types.js +28 -0
- package/dist/postprocess/suppression/types.js.map +1 -0
- package/dist/postprocess/validation-cap.d.ts +17 -0
- package/dist/postprocess/validation-cap.d.ts.map +1 -0
- package/dist/postprocess/validation-cap.js +64 -0
- package/dist/postprocess/validation-cap.js.map +1 -0
- package/dist/report/build-result.d.ts +33 -0
- package/dist/report/build-result.d.ts.map +1 -0
- package/dist/report/build-result.js +59 -0
- package/dist/report/build-result.js.map +1 -0
- package/dist/report/enrichment.d.ts +19 -0
- package/dist/report/enrichment.d.ts.map +1 -0
- package/dist/report/enrichment.js +44 -0
- package/dist/report/enrichment.js.map +1 -0
- package/dist/report/formatters/ai-context.d.ts +23 -0
- package/dist/report/formatters/ai-context.d.ts.map +1 -0
- package/dist/report/formatters/ai-context.js +238 -0
- package/dist/report/formatters/ai-context.js.map +1 -0
- package/dist/report/formatters/cli-terminal.d.ts +65 -0
- package/dist/report/formatters/cli-terminal.d.ts.map +1 -0
- package/dist/report/formatters/cli-terminal.js +735 -0
- package/dist/report/formatters/cli-terminal.js.map +1 -0
- package/dist/report/formatters/github-comment.d.ts +41 -0
- package/dist/report/formatters/github-comment.d.ts.map +1 -0
- package/dist/report/formatters/github-comment.js +370 -0
- package/dist/report/formatters/github-comment.js.map +1 -0
- package/dist/report/formatters/grouping.d.ts +52 -0
- package/dist/report/formatters/grouping.d.ts.map +1 -0
- package/dist/report/formatters/grouping.js +152 -0
- package/dist/report/formatters/grouping.js.map +1 -0
- package/dist/report/formatters/ide/claude-code.d.ts +17 -0
- package/dist/report/formatters/ide/claude-code.d.ts.map +1 -0
- package/dist/report/formatters/ide/claude-code.js +94 -0
- package/dist/report/formatters/ide/claude-code.js.map +1 -0
- package/dist/report/formatters/ide/cursor.d.ts +13 -0
- package/dist/report/formatters/ide/cursor.d.ts.map +1 -0
- package/dist/report/formatters/ide/cursor.js +125 -0
- package/dist/report/formatters/ide/cursor.js.map +1 -0
- package/dist/report/formatters/ide/index.d.ts +62 -0
- package/dist/report/formatters/ide/index.d.ts.map +1 -0
- package/dist/report/formatters/ide/index.js +184 -0
- package/dist/report/formatters/ide/index.js.map +1 -0
- package/dist/report/formatters/ide/windsurf.d.ts +13 -0
- package/dist/report/formatters/ide/windsurf.d.ts.map +1 -0
- package/dist/report/formatters/ide/windsurf.js +117 -0
- package/dist/report/formatters/ide/windsurf.js.map +1 -0
- package/dist/report/formatters/index.d.ts +11 -0
- package/dist/report/formatters/index.d.ts.map +1 -0
- package/dist/report/formatters/index.js +54 -0
- package/dist/report/formatters/index.js.map +1 -0
- package/dist/report/formatters/vscode-diagnostic.d.ts +103 -0
- package/dist/report/formatters/vscode-diagnostic.d.ts.map +1 -0
- package/dist/report/formatters/vscode-diagnostic.js +151 -0
- package/dist/report/formatters/vscode-diagnostic.js.map +1 -0
- package/dist/report/summary.d.ts +27 -0
- package/dist/report/summary.d.ts.map +1 -0
- package/dist/report/summary.js +57 -0
- package/dist/report/summary.js.map +1 -0
- package/dist/rules/metadata.d.ts.map +1 -1
- package/dist/rules/metadata.js +66 -0
- package/dist/rules/metadata.js.map +1 -1
- package/dist/score/adjustments.d.ts +22 -0
- package/dist/score/adjustments.d.ts.map +1 -0
- package/dist/score/adjustments.js +373 -0
- package/dist/score/adjustments.js.map +1 -0
- package/dist/score/auto-dismiss.d.ts +28 -0
- package/dist/score/auto-dismiss.d.ts.map +1 -0
- package/dist/score/auto-dismiss.js +200 -0
- package/dist/score/auto-dismiss.js.map +1 -0
- package/dist/score/confidence.d.ts +19 -0
- package/dist/score/confidence.d.ts.map +1 -0
- package/dist/score/confidence.js +52 -0
- package/dist/score/confidence.js.map +1 -0
- package/dist/score/index.d.ts +61 -0
- package/dist/score/index.d.ts.map +1 -0
- package/dist/score/index.js +250 -0
- package/dist/score/index.js.map +1 -0
- package/dist/score/types.d.ts +160 -0
- package/dist/score/types.d.ts.map +1 -0
- package/dist/score/types.js +14 -0
- package/dist/score/types.js.map +1 -0
- package/dist/shared/ai-context/index.d.ts +6 -0
- package/dist/shared/ai-context/index.d.ts.map +1 -0
- package/dist/shared/ai-context/index.js +13 -0
- package/dist/shared/ai-context/index.js.map +1 -0
- package/dist/shared/ai-context/manager.d.ts +67 -0
- package/dist/shared/ai-context/manager.d.ts.map +1 -0
- package/dist/shared/ai-context/manager.js +104 -0
- package/dist/shared/ai-context/manager.js.map +1 -0
- package/dist/shared/baseline/diff.d.ts +32 -0
- package/dist/shared/baseline/diff.d.ts.map +1 -0
- package/dist/shared/baseline/diff.js +119 -0
- package/dist/shared/baseline/diff.js.map +1 -0
- package/dist/shared/baseline/index.d.ts +9 -0
- package/dist/shared/baseline/index.d.ts.map +1 -0
- package/dist/shared/baseline/index.js +19 -0
- package/dist/shared/baseline/index.js.map +1 -0
- package/dist/shared/baseline/manager.d.ts +67 -0
- package/dist/shared/baseline/manager.d.ts.map +1 -0
- package/dist/shared/baseline/manager.js +180 -0
- package/dist/shared/baseline/manager.js.map +1 -0
- package/dist/shared/baseline/types.d.ts +91 -0
- package/dist/shared/baseline/types.d.ts.map +1 -0
- package/dist/shared/baseline/types.js +12 -0
- package/dist/shared/baseline/types.js.map +1 -0
- package/dist/shared/category-filter.d.ts +125 -0
- package/dist/shared/category-filter.d.ts.map +1 -0
- package/dist/shared/category-filter.js +360 -0
- package/dist/shared/category-filter.js.map +1 -0
- package/dist/shared/code-analysis.d.ts +39 -0
- package/dist/shared/code-analysis.d.ts.map +1 -0
- package/dist/shared/code-analysis.js +159 -0
- package/dist/shared/code-analysis.js.map +1 -0
- package/dist/shared/comment-analyzer.d.ts +38 -0
- package/dist/shared/comment-analyzer.d.ts.map +1 -0
- package/dist/shared/comment-analyzer.js +218 -0
- package/dist/shared/comment-analyzer.js.map +1 -0
- package/dist/shared/diff-detector.d.ts +53 -0
- package/dist/shared/diff-detector.d.ts.map +1 -0
- package/dist/shared/diff-detector.js +104 -0
- package/dist/shared/diff-detector.js.map +1 -0
- package/dist/shared/diff-parser.d.ts +80 -0
- package/dist/shared/diff-parser.d.ts.map +1 -0
- package/dist/shared/diff-parser.js +202 -0
- package/dist/shared/diff-parser.js.map +1 -0
- package/dist/shared/environment-context.d.ts +76 -0
- package/dist/shared/environment-context.d.ts.map +1 -0
- package/dist/shared/environment-context.js +271 -0
- package/dist/shared/environment-context.js.map +1 -0
- package/dist/shared/intent-detector.d.ts +66 -0
- package/dist/shared/intent-detector.d.ts.map +1 -0
- package/dist/shared/intent-detector.js +282 -0
- package/dist/shared/intent-detector.js.map +1 -0
- package/dist/shared/parsed-file.d.ts +51 -0
- package/dist/shared/parsed-file.d.ts.map +1 -0
- package/dist/shared/parsed-file.js +95 -0
- package/dist/shared/parsed-file.js.map +1 -0
- package/dist/shared/registry-clients.d.ts +93 -0
- package/dist/shared/registry-clients.d.ts.map +1 -0
- package/dist/shared/registry-clients.js +273 -0
- package/dist/shared/registry-clients.js.map +1 -0
- package/dist/shared/rules/framework-fixes.d.ts +48 -0
- package/dist/shared/rules/framework-fixes.d.ts.map +1 -0
- package/dist/shared/rules/framework-fixes.js +439 -0
- package/dist/shared/rules/framework-fixes.js.map +1 -0
- package/dist/shared/rules/index.d.ts +8 -0
- package/dist/shared/rules/index.d.ts.map +1 -0
- package/dist/shared/rules/index.js +18 -0
- package/dist/shared/rules/index.js.map +1 -0
- package/dist/shared/rules/metadata.d.ts +43 -0
- package/dist/shared/rules/metadata.d.ts.map +1 -0
- package/dist/shared/rules/metadata.js +819 -0
- package/dist/shared/rules/metadata.js.map +1 -0
- package/dist/shared/schema-semantics.d.ts +45 -0
- package/dist/shared/schema-semantics.d.ts.map +1 -0
- package/dist/shared/schema-semantics.js +193 -0
- package/dist/shared/schema-semantics.js.map +1 -0
- package/dist/shared/types.d.ts +337 -0
- package/dist/shared/types.d.ts.map +1 -0
- package/dist/shared/types.js +126 -0
- package/dist/shared/types.js.map +1 -0
- package/dist/tiers.d.ts +4 -4
- package/dist/tiers.d.ts.map +1 -1
- package/dist/tiers.js +17 -7
- package/dist/tiers.js.map +1 -1
- package/dist/types.d.ts +79 -9
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js +34 -0
- package/dist/types.js.map +1 -1
- package/dist/utils/code-analysis.d.ts +39 -0
- package/dist/utils/code-analysis.d.ts.map +1 -0
- package/dist/utils/code-analysis.js +159 -0
- package/dist/utils/code-analysis.js.map +1 -0
- package/dist/utils/comment-analyzer.d.ts +38 -0
- package/dist/utils/comment-analyzer.d.ts.map +1 -0
- package/dist/utils/comment-analyzer.js +218 -0
- package/dist/utils/comment-analyzer.js.map +1 -0
- package/dist/utils/context-helpers.d.ts +108 -1
- package/dist/utils/context-helpers.d.ts.map +1 -1
- package/dist/utils/context-helpers.js +351 -2
- package/dist/utils/context-helpers.js.map +1 -1
- package/dist/utils/environment-context.d.ts +76 -0
- package/dist/utils/environment-context.d.ts.map +1 -0
- package/dist/utils/environment-context.js +271 -0
- package/dist/utils/environment-context.js.map +1 -0
- package/dist/utils/intent-detector.d.ts +66 -0
- package/dist/utils/intent-detector.d.ts.map +1 -0
- package/dist/utils/intent-detector.js +282 -0
- package/dist/utils/intent-detector.js.map +1 -0
- package/dist/utils/parsed-file.d.ts +51 -0
- package/dist/utils/parsed-file.d.ts.map +1 -0
- package/dist/utils/parsed-file.js +95 -0
- package/dist/utils/parsed-file.js.map +1 -0
- package/dist/utils/route-hierarchy.d.ts +50 -0
- package/dist/utils/route-hierarchy.d.ts.map +1 -0
- package/dist/utils/route-hierarchy.js +226 -0
- package/dist/utils/route-hierarchy.js.map +1 -0
- package/dist/utils/schema-semantics.d.ts +45 -0
- package/dist/utils/schema-semantics.d.ts.map +1 -0
- package/dist/utils/schema-semantics.js +193 -0
- package/dist/utils/schema-semantics.js.map +1 -0
- package/dist/validate/clients.d.ts +44 -0
- package/dist/validate/clients.d.ts.map +1 -0
- package/dist/validate/clients.js +81 -0
- package/dist/validate/clients.js.map +1 -0
- package/dist/validate/index.d.ts +41 -0
- package/dist/validate/index.d.ts.map +1 -0
- package/dist/validate/index.js +141 -0
- package/dist/validate/index.js.map +1 -0
- package/dist/validate/prompts/index.d.ts +8 -0
- package/dist/validate/prompts/index.d.ts.map +1 -0
- package/dist/validate/prompts/index.js +16 -0
- package/dist/validate/prompts/index.js.map +1 -0
- package/dist/validate/prompts/modules/ai-patterns.d.ts +19 -0
- package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -0
- package/dist/validate/prompts/modules/ai-patterns.js +156 -0
- package/dist/validate/prompts/modules/ai-patterns.js.map +1 -0
- package/dist/validate/prompts/modules/auth-access.d.ts +9 -0
- package/dist/validate/prompts/modules/auth-access.d.ts.map +1 -0
- package/dist/validate/prompts/modules/auth-access.js +25 -0
- package/dist/validate/prompts/modules/auth-access.js.map +1 -0
- package/dist/validate/prompts/modules/common.d.ts +11 -0
- package/dist/validate/prompts/modules/common.d.ts.map +1 -0
- package/dist/validate/prompts/modules/common.js +186 -0
- package/dist/validate/prompts/modules/common.js.map +1 -0
- package/dist/validate/prompts/modules/index.d.ts +54 -0
- package/dist/validate/prompts/modules/index.d.ts.map +1 -0
- package/dist/validate/prompts/modules/index.js +186 -0
- package/dist/validate/prompts/modules/index.js.map +1 -0
- package/dist/validate/prompts/modules/owasp-classic.d.ts +8 -0
- package/dist/validate/prompts/modules/owasp-classic.d.ts.map +1 -0
- package/dist/validate/prompts/modules/owasp-classic.js +84 -0
- package/dist/validate/prompts/modules/owasp-classic.js.map +1 -0
- package/dist/validate/prompts/modules/secrets-crypto.d.ts +8 -0
- package/dist/validate/prompts/modules/secrets-crypto.d.ts.map +1 -0
- package/dist/validate/prompts/modules/secrets-crypto.js +68 -0
- package/dist/validate/prompts/modules/secrets-crypto.js.map +1 -0
- package/dist/validate/prompts/modules/xss-prompt.d.ts +8 -0
- package/dist/validate/prompts/modules/xss-prompt.d.ts.map +1 -0
- package/dist/validate/prompts/modules/xss-prompt.js +22 -0
- package/dist/validate/prompts/modules/xss-prompt.js.map +1 -0
- package/dist/validate/prompts/semantic-analysis.d.ts +15 -0
- package/dist/validate/prompts/semantic-analysis.d.ts.map +1 -0
- package/dist/validate/prompts/semantic-analysis.js +169 -0
- package/dist/validate/prompts/semantic-analysis.js.map +1 -0
- package/dist/validate/prompts/validation.d.ts +18 -0
- package/dist/validate/prompts/validation.d.ts.map +1 -0
- package/dist/validate/prompts/validation.js +25 -0
- package/dist/validate/prompts/validation.js.map +1 -0
- package/dist/validate/providers/anthropic.d.ts +17 -0
- package/dist/validate/providers/anthropic.d.ts.map +1 -0
- package/dist/validate/providers/anthropic.js +260 -0
- package/dist/validate/providers/anthropic.js.map +1 -0
- package/dist/validate/providers/index.d.ts +8 -0
- package/dist/validate/providers/index.d.ts.map +1 -0
- package/dist/validate/providers/index.js +13 -0
- package/dist/validate/providers/index.js.map +1 -0
- package/dist/validate/providers/openai.d.ts +14 -0
- package/dist/validate/providers/openai.d.ts.map +1 -0
- package/dist/validate/providers/openai.js +336 -0
- package/dist/validate/providers/openai.js.map +1 -0
- package/dist/validate/request-builder.d.ts +61 -0
- package/dist/validate/request-builder.d.ts.map +1 -0
- package/dist/validate/request-builder.js +346 -0
- package/dist/validate/request-builder.js.map +1 -0
- package/dist/validate/types.d.ts +88 -0
- package/dist/validate/types.d.ts.map +1 -0
- package/dist/validate/types.js +38 -0
- package/dist/validate/types.js.map +1 -0
- package/dist/validate/utils/context-extractor.d.ts +55 -0
- package/dist/validate/utils/context-extractor.d.ts.map +1 -0
- package/dist/validate/utils/context-extractor.js +161 -0
- package/dist/validate/utils/context-extractor.js.map +1 -0
- package/dist/validate/utils/index.d.ts +11 -0
- package/dist/validate/utils/index.d.ts.map +1 -0
- package/dist/validate/utils/index.js +27 -0
- package/dist/validate/utils/index.js.map +1 -0
- package/dist/validate/utils/path-helpers.d.ts +21 -0
- package/dist/validate/utils/path-helpers.d.ts.map +1 -0
- package/dist/validate/utils/path-helpers.js +69 -0
- package/dist/validate/utils/path-helpers.js.map +1 -0
- package/dist/validate/utils/response-parser.d.ts +40 -0
- package/dist/validate/utils/response-parser.d.ts.map +1 -0
- package/dist/validate/utils/response-parser.js +286 -0
- package/dist/validate/utils/response-parser.js.map +1 -0
- package/dist/validate/utils/retry.d.ts +15 -0
- package/dist/validate/utils/retry.d.ts.map +1 -0
- package/dist/validate/utils/retry.js +62 -0
- package/dist/validate/utils/retry.js.map +1 -0
- package/package.json +8 -7
- package/src/__tests__/benchmark/fixtures/layer1/agent-skill-injection.ts +204 -0
- package/src/__tests__/benchmark/fixtures/layer1/index.ts +3 -0
- package/src/__tests__/benchmark/fixtures/layer2/index.ts +27 -0
- package/src/__tests__/benchmark/fixtures/layer2/log-injection.ts +147 -0
- package/src/__tests__/benchmark/fixtures/layer2/phase5-excessive-agency.ts +580 -0
- package/src/__tests__/benchmark/fixtures/layer2/security-headers.ts +197 -0
- package/src/__tests__/benchmark/fixtures/layer2/sprint6-ai-enhancements.ts +515 -0
- package/src/__tests__/benchmark/fixtures/layer2/ssrf-detection.ts +210 -0
- package/src/__tests__/benchmark/fixtures/layer2/xxe-detection.ts +195 -0
- package/src/__tests__/benchmark/run-depth-validation.ts +12 -12
- package/src/__tests__/benchmark/run-real-world-test.ts +4 -4
- package/src/__tests__/benchmark/types.ts +1 -1
- package/src/__tests__/benchmark/utils/test-runner.ts +3 -3
- package/src/__tests__/category-filter.test.ts +478 -0
- package/src/__tests__/context-engine/cross-file-taint.test.ts +284 -0
- package/src/__tests__/context-engine/framework-models.test.ts +457 -0
- package/src/__tests__/context-engine/function-classifier.test.ts +146 -0
- package/src/__tests__/context-engine/import-resolver.test.ts +328 -0
- package/src/__tests__/context-engine/integration.test.ts +320 -0
- package/src/__tests__/context-engine/module-graph.test.ts +159 -0
- package/src/__tests__/context-engine/route-discovery/auth-resolver.test.ts +353 -0
- package/src/__tests__/context-engine/route-discovery/express.test.ts +150 -0
- package/src/__tests__/context-engine/route-discovery/nextjs.test.ts +138 -0
- package/src/__tests__/context-engine/route-discovery/python.test.ts +95 -0
- package/src/__tests__/context-engine/sanitiser-detection.test.ts +187 -0
- package/src/__tests__/context-engine/sink-matcher.test.ts +251 -0
- package/src/__tests__/context-engine/source-discovery.test.ts +186 -0
- package/src/__tests__/context-engine/taint-tracker.test.ts +182 -0
- package/src/__tests__/regression/agent-skill-benign.test.ts +174 -0
- package/src/__tests__/regression/known-false-positives.test.ts +801 -3
- package/src/__tests__/score/adjustments.test.ts +385 -0
- package/src/__tests__/score/confidence.test.ts +283 -0
- package/src/__tests__/score/framework-scoring.test.ts +275 -0
- package/src/__tests__/score/route-scoring.test.ts +156 -0
- package/src/__tests__/score/scoring-integration.test.ts +165 -0
- package/src/__tests__/score/taint-adjustments.test.ts +244 -0
- package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +50 -58
- package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +52 -0
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +3 -12
- package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +3 -3
- package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +1 -1
- package/src/__tests__/snapshots/scan-depth.test.ts +3 -3
- package/src/__tests__/validate/route-annotations.test.ts +138 -0
- package/src/__tests__/validation/analyze-results.ts +1 -1
- package/src/__tests__/validation/extract-for-triage.ts +1 -1
- package/src/__tests__/validation/fp-deep-analysis.ts +1 -1
- package/src/__tests__/validation/run-validation.ts +7 -7
- package/src/{layer2/ai-agent-tools.ts → detect/ai-code/agent-tools.ts} +729 -4
- package/src/{layer2 → detect/ai-code}/byok-patterns.ts +20 -6
- package/src/{layer2/ai-endpoint-protection.ts → detect/ai-code/endpoint-protection.ts} +10 -4
- package/src/{layer2/ai-execution-sinks.ts → detect/ai-code/execution-sinks.ts} +272 -46
- package/src/{layer2/ai-fingerprinting.ts → detect/ai-code/fingerprinting.ts} +46 -34
- package/src/detect/ai-code/index.ts +11 -0
- package/src/{layer2/ai-mcp-security.ts → detect/ai-code/mcp-security.ts} +212 -5
- package/src/{layer2 → detect/ai-code}/model-supply-chain.ts +85 -6
- package/src/{layer2/ai-package-hallucination.ts → detect/ai-code/package-hallucination.ts} +170 -6
- package/src/{layer2/ai-prompt-hygiene.ts → detect/ai-code/prompt-hygiene.ts} +393 -28
- package/src/{layer2/ai-rag-safety.ts → detect/ai-code/rag-safety.ts} +91 -4
- package/src/{layer2/ai-schema-validation.ts → detect/ai-code/schema-validation.ts} +10 -4
- package/src/detect/config/agent-skill-injection.ts +551 -0
- package/src/{layer1 → detect/config}/comments.ts +8 -2
- package/src/{layer1 → detect/config}/file-flags.ts +23 -6
- package/src/detect/config/index.ts +6 -0
- package/src/{layer3 → detect/config}/osv-check.ts +3 -2
- package/src/{layer3 → detect/config}/package-check.ts +3 -2
- package/src/{layer1 → detect/config}/urls.ts +196 -15
- package/src/detect/index.ts +131 -0
- package/src/{layer1 → detect/secrets}/config-audit.ts +56 -12
- package/src/{layer1 → detect/secrets}/config-mcp-audit.ts +11 -4
- package/src/{layer1 → detect/secrets}/entropy.ts +256 -11
- package/src/{layer1 → detect/secrets}/index.ts +43 -46
- package/src/{layer1 → detect/secrets}/patterns.ts +51 -6
- package/src/{layer1 → detect/secrets}/weak-crypto.ts +174 -17
- package/src/{layer2/auth-antipatterns.ts → detect/structural/auth-patterns.ts} +249 -27
- package/src/{layer2 → detect/structural}/dangerous-functions/dom-xss.ts +94 -22
- package/src/{layer2 → detect/structural}/dangerous-functions/index.ts +672 -65
- package/src/{layer2 → detect/structural}/dangerous-functions/json-parse.ts +10 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/math-random.ts +269 -17
- package/src/{layer2 → detect/structural}/dangerous-functions/patterns.ts +4 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/request-validation.ts +10 -2
- package/src/detect/structural/dangerous-functions/utils/control-flow.ts +35 -0
- package/src/{layer2 → detect/structural}/dangerous-functions/utils/schema-validation.ts +16 -1
- package/src/{layer2 → detect/structural}/data-exposure.ts +23 -40
- package/src/{layer2 → detect/structural}/framework-checks.ts +13 -12
- package/src/{layer2 → detect/structural}/index.ts +144 -122
- package/src/detect/structural/log-injection.ts +254 -0
- package/src/{layer2 → detect/structural}/logic-gates.ts +69 -24
- package/src/{layer2 → detect/structural}/risky-imports.ts +10 -4
- package/src/detect/structural/security-headers.ts +231 -0
- package/src/detect/structural/ssrf-detection.ts +300 -0
- package/src/{layer2 → detect/structural}/variables.ts +10 -4
- package/src/detect/structural/xxe-detection.ts +295 -0
- package/src/index.ts +64 -1038
- package/src/{utils → model}/auth-helper-detector.ts +1 -1
- package/src/model/cross-file-taint.ts +374 -0
- package/src/model/framework-models/django.ts +82 -0
- package/src/model/framework-models/express.ts +54 -0
- package/src/model/framework-models/index.ts +116 -0
- package/src/model/framework-models/nextjs.ts +69 -0
- package/src/model/framework-models/prisma.ts +57 -0
- package/src/model/framework-models/react.ts +63 -0
- package/src/model/framework-models/sequelize.ts +63 -0
- package/src/model/framework-models/types.ts +46 -0
- package/src/model/function-classifier.ts +184 -0
- package/src/model/import-resolver.ts +453 -0
- package/src/{utils → model}/imported-auth-detector.ts +21 -85
- package/src/model/index.ts +353 -0
- package/src/{utils → model}/middleware-detector.ts +156 -17
- package/src/model/module-graph.ts +254 -0
- package/src/{utils → model}/oauth-flow-detector.ts +1 -1
- package/src/{utils/project-context-builder.ts → model/project-context.ts} +1 -1
- package/src/model/route-auth-resolver.ts +216 -0
- package/src/model/route-discovery/express.ts +251 -0
- package/src/model/route-discovery/index.ts +83 -0
- package/src/model/route-discovery/nextjs.ts +216 -0
- package/src/model/route-discovery/python.ts +214 -0
- package/src/model/route-discovery/types.ts +48 -0
- package/src/model/route-discovery/utils.ts +54 -0
- package/src/model/route-hierarchy.ts +250 -0
- package/src/model/sanitiser-detection.ts +268 -0
- package/src/model/sink-matcher.ts +178 -0
- package/src/model/sink-patterns.ts +109 -0
- package/src/model/source-discovery.ts +209 -0
- package/src/model/taint-tracker.ts +333 -0
- package/src/model/taint-types.ts +149 -0
- package/src/{utils → model}/trpc-analyzer.ts +1 -1
- package/src/{utils/context-helpers.ts → parse/file-classifier.ts} +462 -2
- package/src/{utils → parse}/path-exclusions.ts +1 -1
- package/src/pipeline/config.ts +81 -0
- package/src/pipeline/index.ts +437 -0
- package/src/{modes → pipeline/modes}/incremental.ts +6 -6
- package/src/postprocess/aggregation.ts +74 -0
- package/src/postprocess/contradictions.ts +128 -0
- package/src/postprocess/dedup.ts +62 -0
- package/src/postprocess/filtering/__tests__/pipeline.test.ts +134 -0
- package/src/postprocess/filtering/context-adjustments.ts +111 -0
- package/src/postprocess/filtering/index.ts +10 -0
- package/src/postprocess/filtering/pipeline.ts +130 -0
- package/src/postprocess/index.ts +118 -0
- package/src/{suppression → postprocess/suppression}/config-loader.ts +1 -1
- package/src/{suppression → postprocess/suppression}/hash.ts +1 -1
- package/src/{suppression → postprocess/suppression}/inline-parser.ts +1 -1
- package/src/{suppression → postprocess/suppression}/manager.ts +1 -1
- package/src/{suppression → postprocess/suppression}/types.ts +2 -2
- package/src/postprocess/validation-cap.ts +66 -0
- package/src/report/build-result.ts +94 -0
- package/src/report/enrichment.ts +52 -0
- package/src/report/formatters/__tests__/ai-context.test.ts +254 -0
- package/src/report/formatters/ai-context.ts +302 -0
- package/src/{formatters → report/formatters}/cli-terminal.ts +11 -11
- package/src/{formatters → report/formatters}/github-comment.ts +4 -4
- package/src/{formatters → report/formatters}/grouping.ts +8 -8
- package/src/report/formatters/ide/__tests__/ide.test.ts +319 -0
- package/src/report/formatters/ide/claude-code.ts +110 -0
- package/src/report/formatters/ide/cursor.ts +147 -0
- package/src/report/formatters/ide/index.ts +216 -0
- package/src/report/formatters/ide/windsurf.ts +135 -0
- package/src/{formatters → report/formatters}/index.ts +24 -0
- package/src/{formatters → report/formatters}/vscode-diagnostic.ts +1 -1
- package/src/report/summary.ts +70 -0
- package/src/score/adjustments.ts +387 -0
- package/src/{layer3/anthropic → score}/auto-dismiss.ts +26 -14
- package/src/score/confidence.ts +66 -0
- package/src/score/index.ts +316 -0
- package/src/score/types.ts +187 -0
- package/src/shared/__tests__/code-analysis.test.ts +165 -0
- package/src/shared/__tests__/parsed-file.test.ts +124 -0
- package/src/shared/ai-context/__tests__/manager.test.ts +193 -0
- package/src/shared/ai-context/index.ts +15 -0
- package/src/shared/ai-context/manager.ts +145 -0
- package/src/{baseline → shared/baseline}/__tests__/diff.test.ts +2 -2
- package/src/{baseline → shared/baseline}/__tests__/manager.test.ts +2 -2
- package/src/{baseline → shared/baseline}/diff.ts +1 -1
- package/src/{baseline → shared/baseline}/manager.ts +1 -1
- package/src/shared/category-filter.ts +400 -0
- package/src/{layer2/dangerous-functions/utils/control-flow.ts → shared/code-analysis.ts} +56 -39
- package/src/shared/comment-analyzer.ts +249 -0
- package/src/shared/environment-context.ts +304 -0
- package/src/shared/intent-detector.ts +318 -0
- package/src/shared/parsed-file.ts +103 -0
- package/src/{rules → shared/rules}/__tests__/metadata.test.ts +7 -0
- package/src/{rules → shared/rules}/framework-fixes.ts +1 -1
- package/src/{rules → shared/rules}/metadata.ts +94 -0
- package/src/shared/schema-semantics.ts +233 -0
- package/src/{types.ts → shared/types.ts} +142 -11
- package/src/tiers.ts +27 -10
- package/src/validate/__tests__/context-extractor.test.ts +191 -0
- package/src/validate/__tests__/prompt-assembly.test.ts +233 -0
- package/src/validate/__tests__/request-builder.test.ts +347 -0
- package/src/{layer3/anthropic → validate}/index.ts +8 -7
- package/src/{layer3/anthropic → validate}/prompts/index.ts +2 -0
- package/src/validate/prompts/modules/ai-patterns.ts +153 -0
- package/src/validate/prompts/modules/auth-access.ts +22 -0
- package/src/validate/prompts/modules/common.ts +183 -0
- package/src/validate/prompts/modules/index.ts +204 -0
- package/src/validate/prompts/modules/owasp-classic.ts +81 -0
- package/src/validate/prompts/modules/secrets-crypto.ts +65 -0
- package/src/validate/prompts/modules/xss-prompt.ts +19 -0
- package/src/validate/prompts/validation.ts +20 -0
- package/src/{layer3/anthropic → validate}/providers/anthropic.ts +28 -27
- package/src/validate/providers/index.ts +8 -0
- package/src/{layer3/anthropic → validate}/providers/openai.ts +30 -25
- package/src/validate/request-builder.ts +448 -0
- package/src/{layer3/anthropic → validate}/types.ts +1 -1
- package/src/validate/utils/context-extractor.ts +220 -0
- package/src/{layer3/anthropic → validate}/utils/index.ts +10 -0
- package/src/{layer3/anthropic → validate}/utils/response-parser.ts +2 -1
- package/src/layer3/anthropic/prompts/validation.ts +0 -419
- package/src/layer3/anthropic/providers/index.ts +0 -8
- package/src/layer3/anthropic/request-builder.ts +0 -150
- package/src/layer3/index.ts +0 -168
- /package/src/{layer3 → detect/config}/__tests__/osv-check.test.ts +0 -0
- /package/src/{layer2 → detect/structural}/__tests__/math-random-enhanced.test.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/child-process.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/helpers.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/index.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/config-loader.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/hash.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/inline-parser.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/manager.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/index.ts +0 -0
- /package/src/{baseline → shared/baseline}/index.ts +0 -0
- /package/src/{baseline → shared/baseline}/types.ts +0 -0
- /package/src/{utils → shared}/diff-detector.ts +0 -0
- /package/src/{utils → shared}/diff-parser.ts +0 -0
- /package/src/{utils → shared}/registry-clients.ts +0 -0
- /package/src/{rules → shared/rules}/__tests__/framework-fixes.test.ts +0 -0
- /package/src/{rules → shared/rules}/index.ts +0 -0
- /package/src/{layer3/anthropic → validate}/clients.ts +0 -0
- /package/src/{layer3/anthropic → validate}/prompts/semantic-analysis.ts +0 -0
- /package/src/{layer3/anthropic → validate}/utils/path-helpers.ts +0 -0
- /package/src/{layer3/anthropic → validate}/utils/retry.ts +0 -0
|
@@ -0,0 +1,684 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Math.random() Detection
|
|
4
|
+
*
|
|
5
|
+
* Context-aware detection of Math.random() usage with intelligent severity
|
|
6
|
+
* classification based on usage context, variable names, and function intent.
|
|
7
|
+
*/
|
|
8
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
+
exports.isJitterOrBackoffContext = isJitterOrBackoffContext;
|
|
10
|
+
exports.isReactKeyPattern = isReactKeyPattern;
|
|
11
|
+
exports.isCosmeticMathRandom = isCosmeticMathRandom;
|
|
12
|
+
exports.classifyFunctionIntent = classifyFunctionIntent;
|
|
13
|
+
exports.analyzeToStringPattern = analyzeToStringPattern;
|
|
14
|
+
exports.extractMathRandomVariableName = extractMathRandomVariableName;
|
|
15
|
+
exports.classifyVariableNameRisk = classifyVariableNameRisk;
|
|
16
|
+
exports.analyzeMathRandomContext = analyzeMathRandomContext;
|
|
17
|
+
exports.isAnimationFile = isAnimationFile;
|
|
18
|
+
exports.isAnimationCoordinateUsage = isAnimationCoordinateUsage;
|
|
19
|
+
exports.isTemplatePlaceholderGenerator = isTemplatePlaceholderGenerator;
|
|
20
|
+
exports.shouldSkipMathRandom = shouldSkipMathRandom;
|
|
21
|
+
const file_classifier_1 = require("../../../parse/file-classifier");
|
|
22
|
+
const control_flow_1 = require("./utils/control-flow");
|
|
23
|
+
/**
|
|
24
|
+
* Check if Math.random() is used in a jitter/backoff/retry context
|
|
25
|
+
* These are legitimate uses of Math.random() for network resilience,
|
|
26
|
+
* not security-sensitive randomness.
|
|
27
|
+
*
|
|
28
|
+
* Examples:
|
|
29
|
+
* const delay = baseDelay + Math.random() * jitter
|
|
30
|
+
* setTimeout(retry, delay * Math.random())
|
|
31
|
+
* await sleep(backoff * (1 + Math.random() * 0.1))
|
|
32
|
+
*
|
|
33
|
+
* @param content - Full file content
|
|
34
|
+
* @param lineNumber - The 0-indexed line number where Math.random() was found
|
|
35
|
+
*/
|
|
36
|
+
function isJitterOrBackoffContext(content, lineNumber, lines) {
|
|
37
|
+
const _lines = lines ?? content.split('\n');
|
|
38
|
+
const start = Math.max(0, lineNumber - 10);
|
|
39
|
+
const end = Math.min(_lines.length, lineNumber + 5);
|
|
40
|
+
const context = _lines.slice(start, end).join('\n');
|
|
41
|
+
// Patterns indicating jitter/backoff/retry context
|
|
42
|
+
const jitterPatterns = [
|
|
43
|
+
// Direct keyword matches
|
|
44
|
+
/\b(jitter|backoff|retry|retries|exponential)\b/i,
|
|
45
|
+
// Delay/timeout with random
|
|
46
|
+
/setTimeout.*Math\.random/i,
|
|
47
|
+
/setInterval.*Math\.random/i,
|
|
48
|
+
/sleep.*Math\.random/i,
|
|
49
|
+
/await.*delay.*Math\.random/i,
|
|
50
|
+
// Common backoff patterns
|
|
51
|
+
/\* Math\.random\(\).*delay/i,
|
|
52
|
+
/delay\s*\*\s*Math\.random/i,
|
|
53
|
+
/Math\.random\(\)\s*\*\s*\d+.*delay/i,
|
|
54
|
+
// Retry-related function names
|
|
55
|
+
/function\s+(retry|withRetry|backoff|withBackoff|exponentialBackoff)/i,
|
|
56
|
+
// Common retry library patterns
|
|
57
|
+
/retryPolicy|retryConfig|retryOptions|maxRetries|retryCount/i,
|
|
58
|
+
// Network resilience patterns
|
|
59
|
+
/\b(throttle|debounce|rateLimit)\b.*Math\.random/i,
|
|
60
|
+
// Sampling/probability for non-security uses
|
|
61
|
+
/sampleRate|samplingRate|probability\s*[<>]=?\s*Math\.random/i,
|
|
62
|
+
];
|
|
63
|
+
return jitterPatterns.some(p => p.test(context));
|
|
64
|
+
}
|
|
65
|
+
/**
|
|
66
|
+
* Check if Math.random() is used in a React key prop context
|
|
67
|
+
* This is a common pattern to force re-renders, not a security issue.
|
|
68
|
+
*
|
|
69
|
+
* Examples:
|
|
70
|
+
* key={Math.random()}
|
|
71
|
+
* key={`prefix-${Math.random()}`}
|
|
72
|
+
* key={Math.random().toString()}
|
|
73
|
+
*
|
|
74
|
+
* @param lineContent - The line of code to check
|
|
75
|
+
* @param filePath - The file path (only check JSX/TSX files)
|
|
76
|
+
*/
|
|
77
|
+
function isReactKeyPattern(lineContent, filePath) {
|
|
78
|
+
// Only check in JSX/TSX files
|
|
79
|
+
if (!/\.[jt]sx$/.test(filePath)) {
|
|
80
|
+
return false;
|
|
81
|
+
}
|
|
82
|
+
// Pattern: key={...Math.random()...}
|
|
83
|
+
// Matches:
|
|
84
|
+
// key={Math.random()}
|
|
85
|
+
// key={`foo-${Math.random()}`}
|
|
86
|
+
// key={Math.random().toString()}
|
|
87
|
+
// key={`${Math.random()}-bar`}
|
|
88
|
+
// key={something + Math.random()}
|
|
89
|
+
const keyPattern = /key\s*=\s*\{[^}]*Math\.random\(\)/;
|
|
90
|
+
return keyPattern.test(lineContent);
|
|
91
|
+
}
|
|
92
|
+
/**
|
|
93
|
+
* Check if Math.random() is used for cosmetic/UI purposes (not security)
|
|
94
|
+
* Cosmetic uses: CSS values, animations, UI variations, demo data
|
|
95
|
+
* Security uses: tokens, IDs, cryptographic operations, session management
|
|
96
|
+
*/
|
|
97
|
+
function isCosmeticMathRandom(lineContent, content, lineNumber, lines) {
|
|
98
|
+
const _lines = lines ?? content.split('\n');
|
|
99
|
+
// Check the line itself for cosmetic indicators
|
|
100
|
+
const cosmeticLinePatterns = [
|
|
101
|
+
// CSS/style values
|
|
102
|
+
/['"`]\s*\$\{.*Math\.random.*\}\s*%['"`]/, // `${Math.random() * 40 + 50}%`
|
|
103
|
+
/Math\.random.*\s*\+\s*['"`]%['"`]/, // Math.random() * 40 + '%'
|
|
104
|
+
/Math\.random.*\)\s*\*\s*\d+\s*\+\s*\d+\s*\}\s*%/, // }) * 40 + 50}%
|
|
105
|
+
/return\s+`.*Math\.random.*%`/, // return `${...}%`
|
|
106
|
+
/width:\s*['"`].*Math\.random/i, // width: `${Math.random()...}%`
|
|
107
|
+
/height:\s*['"`].*Math\.random/i, // height: `${Math.random()...}%`
|
|
108
|
+
/opacity:\s*['"`]?.*Math\.random/i, // opacity: Math.random()
|
|
109
|
+
/transform:\s*['"`]?.*Math\.random/i, // transform: translate(...)
|
|
110
|
+
/rotate\(.*Math\.random/i, // rotate(Math.random() * 360)
|
|
111
|
+
/translate\(.*Math\.random/i, // translate(Math.random() * 100)
|
|
112
|
+
/scale\(.*Math\.random/i, // scale(Math.random() * 2)
|
|
113
|
+
// Color/animation values
|
|
114
|
+
/rgba?\(.*Math\.random/i, // rgb(Math.random() * 255, ...)
|
|
115
|
+
/hsl\(.*Math\.random/i, // hsl(Math.random() * 360, ...)
|
|
116
|
+
/Math\.random.*\*\s*360/, // Math.random() * 360 (degrees/hue)
|
|
117
|
+
/Math\.random.*\*\s*255/, // Math.random() * 255 (RGB values)
|
|
118
|
+
// Array/list randomization for UI
|
|
119
|
+
/Math\.floor\(Math\.random.*\.length\)/, // Math.floor(Math.random() * array.length)
|
|
120
|
+
/\[Math\.floor\(Math\.random/, // array[Math.floor(Math.random()...)]
|
|
121
|
+
// Demo/placeholder data
|
|
122
|
+
/Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bpx\b/i, // Math.random() * 100 + 50 + 'px'
|
|
123
|
+
/Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bms\b/i, // Math.random() * 1000 + 500 + 'ms'
|
|
124
|
+
/Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bs\b/i, // Math.random() * 5 + 2 + 's'
|
|
125
|
+
// NOTE: toString patterns removed - now handled by analyzeToStringPattern()
|
|
126
|
+
// which provides more granular severity classification (info/low/medium/high)
|
|
127
|
+
// based on truncation length and context
|
|
128
|
+
];
|
|
129
|
+
if (cosmeticLinePatterns.some(p => p.test(lineContent))) {
|
|
130
|
+
return true;
|
|
131
|
+
}
|
|
132
|
+
// Check surrounding context (5 lines before and after)
|
|
133
|
+
const contextStart = Math.max(0, lineNumber - 5);
|
|
134
|
+
const contextEnd = Math.min(_lines.length, lineNumber + 5);
|
|
135
|
+
const context = _lines.slice(contextStart, contextEnd).join('\n');
|
|
136
|
+
// Context indicators of cosmetic use
|
|
137
|
+
const cosmeticContextPatterns = [
|
|
138
|
+
// UI component files - REMOVED, let severity classification handle these
|
|
139
|
+
// Style-related variables/functions
|
|
140
|
+
/\b(style|styles|css|className|animation|transition)/i,
|
|
141
|
+
/\b(width|height|opacity|color|transform|rotate|scale|translate)/i,
|
|
142
|
+
// Demo/example data
|
|
143
|
+
/\b(demo|example|placeholder|mock|fake|sample|test)Data/i,
|
|
144
|
+
/\b(random|shuffle|pick|choose).*\b(color|item|element|option)/i,
|
|
145
|
+
// Animation/timing
|
|
146
|
+
/setTimeout.*Math\.random/i,
|
|
147
|
+
/setInterval.*Math\.random/i,
|
|
148
|
+
/delay.*Math\.random/i,
|
|
149
|
+
/duration.*Math\.random/i,
|
|
150
|
+
// UI state variations
|
|
151
|
+
/\b(variant|theme|layout|position).*Math\.random/i,
|
|
152
|
+
// NOTE: Removed UI identifier patterns (key, id, tempId, etc.) - these should be
|
|
153
|
+
// classified with info/low severity by the severity classification logic, not skipped entirely
|
|
154
|
+
];
|
|
155
|
+
if (cosmeticContextPatterns.some(p => p.test(context))) {
|
|
156
|
+
return true;
|
|
157
|
+
}
|
|
158
|
+
// Security-sensitive patterns that override cosmetic detection
|
|
159
|
+
const securityPatterns = [
|
|
160
|
+
/\b(token|secret|key|password|credential|signature)/i,
|
|
161
|
+
/\b(auth|crypto|encrypt|decrypt|hash)/i,
|
|
162
|
+
/\b(session|nonce|salt)\b/i,
|
|
163
|
+
/Math\.random.*\*\s*1e\d+/, // Math.random() * 1e16 (large numbers for IDs)
|
|
164
|
+
];
|
|
165
|
+
if (securityPatterns.some(p => p.test(lineContent) || p.test(context))) {
|
|
166
|
+
return false; // Not cosmetic - this is security-sensitive
|
|
167
|
+
}
|
|
168
|
+
// Check for .toString(36) WITHOUT substring/slice/substr (security token pattern)
|
|
169
|
+
// If it has substring/slice/substr, it's already caught by cosmeticLinePatterns above
|
|
170
|
+
const hasToString36WithoutTruncation = /Math\.random\(\)\.toString\(36\)/.test(lineContent) &&
|
|
171
|
+
!/\.(substring|substr|slice)\(/.test(lineContent);
|
|
172
|
+
const hasToString16WithoutTruncation = /Math\.random\(\)\.toString\(16\)/.test(lineContent) &&
|
|
173
|
+
!/\.(substring|substr|slice)\(/.test(lineContent);
|
|
174
|
+
if (hasToString36WithoutTruncation || hasToString16WithoutTruncation) {
|
|
175
|
+
return false; // Full-length toString() without truncation - likely security token
|
|
176
|
+
}
|
|
177
|
+
return false; // Default to flagging if unclear
|
|
178
|
+
}
|
|
179
|
+
/**
|
|
180
|
+
* Classify function intent based on function name
|
|
181
|
+
* Used to determine if Math.random() usage is legitimate
|
|
182
|
+
*/
|
|
183
|
+
function classifyFunctionIntent(functionName) {
|
|
184
|
+
if (!functionName)
|
|
185
|
+
return 'unknown';
|
|
186
|
+
const lower = functionName.toLowerCase();
|
|
187
|
+
// UUID/ID generation (UI correlation, not security)
|
|
188
|
+
// Check for specific UUID patterns and generic ID generation functions
|
|
189
|
+
const uuidPatterns = ['uuid', 'guid', 'uniqueid', 'correlationid', 'tempid', 'temp_id'];
|
|
190
|
+
// Match patterns like generateId, generateTempId, createId, etc.
|
|
191
|
+
const idGenerationPatterns = /^(generate|create|make|build)(\w*)?(id|identifier)$/i;
|
|
192
|
+
if (uuidPatterns.some(p => lower.includes(p)) ||
|
|
193
|
+
idGenerationPatterns.test(lower)) {
|
|
194
|
+
return 'uuid';
|
|
195
|
+
}
|
|
196
|
+
// CAPTCHA/puzzle generation (legitimate non-security)
|
|
197
|
+
const captchaPatterns = ['captcha', 'puzzle', 'mathproblem'];
|
|
198
|
+
// Also check for 'challenge' but only if not in security context
|
|
199
|
+
if (captchaPatterns.some(p => lower.includes(p)))
|
|
200
|
+
return 'captcha';
|
|
201
|
+
if (lower.includes('challenge') && !lower.includes('auth'))
|
|
202
|
+
return 'captcha';
|
|
203
|
+
// Demo/seed/fixture data
|
|
204
|
+
const demoPatterns = ['seed', 'fixture', 'demo', 'mock', 'fake'];
|
|
205
|
+
if (demoPatterns.some(p => lower.includes(p)))
|
|
206
|
+
return 'demo';
|
|
207
|
+
// Security-sensitive (check this after id generation to avoid false positives)
|
|
208
|
+
const securityPatterns = [
|
|
209
|
+
'token',
|
|
210
|
+
'secret',
|
|
211
|
+
'key',
|
|
212
|
+
'password',
|
|
213
|
+
'credential',
|
|
214
|
+
'signature',
|
|
215
|
+
];
|
|
216
|
+
// Also match generate/create + security term combinations
|
|
217
|
+
const securityFunctionPattern = /^(generate|create|make)(token|secret|key|session|password|credential)/i;
|
|
218
|
+
if (securityPatterns.some(p => lower.includes(p)) ||
|
|
219
|
+
securityFunctionPattern.test(lower)) {
|
|
220
|
+
return 'security';
|
|
221
|
+
}
|
|
222
|
+
return 'unknown';
|
|
223
|
+
}
|
|
224
|
+
/**
|
|
225
|
+
* Analyze toString() pattern in Math.random() usage
|
|
226
|
+
* Determines intent based on base and truncation length
|
|
227
|
+
*/
|
|
228
|
+
function analyzeToStringPattern(lineContent) {
|
|
229
|
+
const toString36Match = lineContent.match(/Math\.random\(\)\.toString\(36\)/);
|
|
230
|
+
const toString16Match = lineContent.match(/Math\.random\(\)\.toString\(16\)/);
|
|
231
|
+
if (!toString36Match && !toString16Match) {
|
|
232
|
+
return {
|
|
233
|
+
hasToString: false,
|
|
234
|
+
base: null,
|
|
235
|
+
isTruncated: false,
|
|
236
|
+
truncationLength: null,
|
|
237
|
+
intent: 'unknown',
|
|
238
|
+
};
|
|
239
|
+
}
|
|
240
|
+
const base = toString36Match ? 36 : 16;
|
|
241
|
+
// Check for truncation methods
|
|
242
|
+
const substringMatch = lineContent.match(/\.substring\((\d+)(?:,\s*(\d+))?\)/);
|
|
243
|
+
const sliceMatch = lineContent.match(/\.slice\((\d+)(?:,\s*(\d+))?\)/);
|
|
244
|
+
const substrMatch = lineContent.match(/\.substr\((\d+)(?:,\s*(\d+))?\)/);
|
|
245
|
+
const truncMatch = substringMatch || sliceMatch || substrMatch;
|
|
246
|
+
if (!truncMatch) {
|
|
247
|
+
return {
|
|
248
|
+
hasToString: true,
|
|
249
|
+
base,
|
|
250
|
+
isTruncated: false,
|
|
251
|
+
truncationLength: null,
|
|
252
|
+
intent: 'full-token',
|
|
253
|
+
};
|
|
254
|
+
}
|
|
255
|
+
// Calculate truncation length
|
|
256
|
+
const start = parseInt(truncMatch[1]);
|
|
257
|
+
const end = truncMatch[2] ? parseInt(truncMatch[2]) : null;
|
|
258
|
+
// If no end specified (e.g., .substring(7)), the result is from start to end of string
|
|
259
|
+
// Math.random().toString(36) produces ~11 chars like "0.abc123def"
|
|
260
|
+
// .substring(2) gives ~9 chars, .substring(7) gives ~4 chars
|
|
261
|
+
// Estimate remaining length: ~11 - start
|
|
262
|
+
const estimatedFullLength = 11;
|
|
263
|
+
const length = end ? end - start : (start >= 2 ? estimatedFullLength - start : null);
|
|
264
|
+
// Classify intent by length
|
|
265
|
+
// Short (2-9 chars): UI correlation IDs, React keys
|
|
266
|
+
// Medium (10-15 chars): Business IDs, order numbers
|
|
267
|
+
if (length && length <= 9) {
|
|
268
|
+
return {
|
|
269
|
+
hasToString: true,
|
|
270
|
+
base,
|
|
271
|
+
isTruncated: true,
|
|
272
|
+
truncationLength: length,
|
|
273
|
+
intent: 'short-ui-id',
|
|
274
|
+
};
|
|
275
|
+
}
|
|
276
|
+
else if (length && length <= 15) {
|
|
277
|
+
return {
|
|
278
|
+
hasToString: true,
|
|
279
|
+
base,
|
|
280
|
+
isTruncated: true,
|
|
281
|
+
truncationLength: length,
|
|
282
|
+
intent: 'business-id',
|
|
283
|
+
};
|
|
284
|
+
}
|
|
285
|
+
else {
|
|
286
|
+
return {
|
|
287
|
+
hasToString: true,
|
|
288
|
+
base,
|
|
289
|
+
isTruncated: true,
|
|
290
|
+
truncationLength: length,
|
|
291
|
+
intent: 'business-id',
|
|
292
|
+
};
|
|
293
|
+
}
|
|
294
|
+
}
|
|
295
|
+
/**
|
|
296
|
+
* Extract variable name from Math.random() assignment
|
|
297
|
+
* Examples:
|
|
298
|
+
* const token = Math.random() -> "token"
|
|
299
|
+
* const businessId = Math.random().toString(36) -> "businessId"
|
|
300
|
+
* return Math.random() -> null (no variable)
|
|
301
|
+
*/
|
|
302
|
+
function extractMathRandomVariableName(lineContent) {
|
|
303
|
+
// const/let/var variableName = Math.random...
|
|
304
|
+
const assignmentMatch = lineContent.match(/(?:const|let|var)\s+(\w+)\s*=.*Math\.random/);
|
|
305
|
+
if (assignmentMatch)
|
|
306
|
+
return assignmentMatch[1];
|
|
307
|
+
// object.property = Math.random...
|
|
308
|
+
const propertyMatch = lineContent.match(/(\w+)\s*[:=]\s*Math\.random/);
|
|
309
|
+
if (propertyMatch)
|
|
310
|
+
return propertyMatch[1];
|
|
311
|
+
// function parameter default: functionName(param = Math.random())
|
|
312
|
+
const paramMatch = lineContent.match(/(\w+)\s*=\s*Math\.random/);
|
|
313
|
+
if (paramMatch)
|
|
314
|
+
return paramMatch[1];
|
|
315
|
+
return null; // No variable name found
|
|
316
|
+
}
|
|
317
|
+
/**
|
|
318
|
+
* Classify variable name security risk based on naming patterns
|
|
319
|
+
*
|
|
320
|
+
* High risk: Security-sensitive names (token, secret, key, etc.)
|
|
321
|
+
* Medium risk: Unclear context
|
|
322
|
+
* Low risk: Non-security names (id, businessId, orderId, etc.)
|
|
323
|
+
*/
|
|
324
|
+
function classifyVariableNameRisk(varName) {
|
|
325
|
+
if (!varName)
|
|
326
|
+
return 'medium'; // Unknown usage, moderate risk
|
|
327
|
+
const lower = varName.toLowerCase();
|
|
328
|
+
// High risk: security-sensitive variable names
|
|
329
|
+
// Note: 'key' alone is NOT included - it often means React key, not crypto key
|
|
330
|
+
// Instead, we match specific security key patterns
|
|
331
|
+
const highRiskPatterns = [
|
|
332
|
+
'token',
|
|
333
|
+
'secret',
|
|
334
|
+
'password',
|
|
335
|
+
'credential',
|
|
336
|
+
'signature',
|
|
337
|
+
'salt',
|
|
338
|
+
'nonce',
|
|
339
|
+
'session',
|
|
340
|
+
'csrf',
|
|
341
|
+
'auth',
|
|
342
|
+
'apikey',
|
|
343
|
+
'secretkey',
|
|
344
|
+
'privatekey',
|
|
345
|
+
'encryptionkey',
|
|
346
|
+
'accesstoken',
|
|
347
|
+
'refreshtoken',
|
|
348
|
+
'jwt',
|
|
349
|
+
'bearer',
|
|
350
|
+
'oauth',
|
|
351
|
+
'sessionid',
|
|
352
|
+
];
|
|
353
|
+
if (highRiskPatterns.some(p => lower.includes(p))) {
|
|
354
|
+
return 'high';
|
|
355
|
+
}
|
|
356
|
+
// Low risk: clearly non-security contexts
|
|
357
|
+
const lowRiskPatterns = [
|
|
358
|
+
// Business identifiers
|
|
359
|
+
'id',
|
|
360
|
+
'uid',
|
|
361
|
+
'guid',
|
|
362
|
+
'business',
|
|
363
|
+
'order',
|
|
364
|
+
'invoice',
|
|
365
|
+
'customer',
|
|
366
|
+
'user',
|
|
367
|
+
'product',
|
|
368
|
+
'item',
|
|
369
|
+
'transaction',
|
|
370
|
+
'request',
|
|
371
|
+
'reference',
|
|
372
|
+
'tracking',
|
|
373
|
+
'confirmation',
|
|
374
|
+
// Test/demo data
|
|
375
|
+
'test',
|
|
376
|
+
'mock',
|
|
377
|
+
'demo',
|
|
378
|
+
'sample',
|
|
379
|
+
'example',
|
|
380
|
+
'fixture',
|
|
381
|
+
'random',
|
|
382
|
+
'temp',
|
|
383
|
+
'temporary',
|
|
384
|
+
'generated',
|
|
385
|
+
'dummy',
|
|
386
|
+
// UI identifiers (checked after high-risk, so 'apikey' etc. already caught)
|
|
387
|
+
'key',
|
|
388
|
+
'toast',
|
|
389
|
+
'notification',
|
|
390
|
+
'element',
|
|
391
|
+
'component',
|
|
392
|
+
'widget',
|
|
393
|
+
'modal',
|
|
394
|
+
'dialog',
|
|
395
|
+
'popup',
|
|
396
|
+
'unique',
|
|
397
|
+
'react',
|
|
398
|
+
// Non-security randomness usage (backoff/sampling/experiments)
|
|
399
|
+
'jitter',
|
|
400
|
+
'retry',
|
|
401
|
+
'backoff',
|
|
402
|
+
'delay',
|
|
403
|
+
'timeout',
|
|
404
|
+
'latency',
|
|
405
|
+
'sample',
|
|
406
|
+
'sampling',
|
|
407
|
+
'probability',
|
|
408
|
+
'chance',
|
|
409
|
+
'rollout',
|
|
410
|
+
'experiment',
|
|
411
|
+
'abtest',
|
|
412
|
+
'cohort',
|
|
413
|
+
'bucket',
|
|
414
|
+
'variant',
|
|
415
|
+
];
|
|
416
|
+
if (lowRiskPatterns.some(p => lower.includes(p))) {
|
|
417
|
+
return 'low';
|
|
418
|
+
}
|
|
419
|
+
return 'medium'; // Unclear context, moderate risk
|
|
420
|
+
}
|
|
421
|
+
/**
|
|
422
|
+
* Analyze surrounding code context for security signals
|
|
423
|
+
* Returns context type and description for severity classification
|
|
424
|
+
*/
|
|
425
|
+
function analyzeMathRandomContext(content, filePath, lineNumber, lines) {
|
|
426
|
+
const _lines = lines ?? content.split('\n');
|
|
427
|
+
const start = Math.max(0, lineNumber - 10);
|
|
428
|
+
const end = Math.min(_lines.length, lineNumber + 5);
|
|
429
|
+
const context = _lines.slice(start, end).join('\n');
|
|
430
|
+
// Security context indicators (functions, imports, comments)
|
|
431
|
+
const securityPatterns = [
|
|
432
|
+
/\b(generate|create)(Token|Secret|Key|Password|Nonce|Salt|Session|Signature)/i,
|
|
433
|
+
/\b(auth|crypto|encrypt|decrypt|hash|sign)\b/i,
|
|
434
|
+
/function\s+.*(?:token|secret|key|auth|crypto)/i,
|
|
435
|
+
/\bimport.*(?:crypto|jsonwebtoken|bcrypt|argon2|jose)/i,
|
|
436
|
+
/\/\*.*(?:security|authentication|cryptograph|authorization)/i,
|
|
437
|
+
/\/\/.*(?:security|auth|crypto|token|secret)/i,
|
|
438
|
+
];
|
|
439
|
+
const inSecurityContext = securityPatterns.some(p => p.test(context));
|
|
440
|
+
// Test context
|
|
441
|
+
const testFilePatterns = /\.(test|spec)\.(ts|tsx|js|jsx)$/i;
|
|
442
|
+
const testContextPatterns = [
|
|
443
|
+
/\b(describe|it|test|expect|mock|jest|vitest|mocha|chai)\b/i,
|
|
444
|
+
/\b(beforeEach|afterEach|beforeAll|afterAll)\b/i,
|
|
445
|
+
/\b(fixture|stub|spy)\b/i,
|
|
446
|
+
];
|
|
447
|
+
const inTestContext = testFilePatterns.test(filePath) ||
|
|
448
|
+
testContextPatterns.some(p => p.test(context));
|
|
449
|
+
// UI/cosmetic context (reuse existing logic)
|
|
450
|
+
const lineContent = _lines[lineNumber];
|
|
451
|
+
const inUIContext = isCosmeticMathRandom(lineContent, content, lineNumber, _lines);
|
|
452
|
+
// Business logic context (non-security ID generation)
|
|
453
|
+
// Note: UUID/CAPTCHA patterns excluded - handled by functionIntent classification
|
|
454
|
+
const businessLogicPatterns = [
|
|
455
|
+
/\b(business|order|invoice|customer|product|transaction)Id\b/i,
|
|
456
|
+
/\b(reference|tracking|confirmation)Number\b/i,
|
|
457
|
+
/\b(backoff|retry|jitter|delay|timeout|latency)\b/i,
|
|
458
|
+
/\b(sample|sampling|probability|chance|rollout|experiment|abtest|cohort|bucket|variant)\b/i,
|
|
459
|
+
// Load balancing and selection patterns
|
|
460
|
+
/mode\s*===?\s*['"]random['"]/i, // mode === 'random'
|
|
461
|
+
/\.\w*index\s*%/i, // round-robin patterns
|
|
462
|
+
/keys?\[.*Math\.random/i, // keys[Math.floor(Math.random() * keys.length)]
|
|
463
|
+
/\[\s*Math\.floor\s*\(\s*Math\.random/i, // array[Math.floor(Math.random()...)]
|
|
464
|
+
/shuffle/i, // shuffle functions
|
|
465
|
+
/pickRandom/i, // pickRandom helpers
|
|
466
|
+
/randomElement/i, // randomElement helpers
|
|
467
|
+
];
|
|
468
|
+
const inBusinessLogicContext = businessLogicPatterns.some(p => p.test(context)) && !inSecurityContext;
|
|
469
|
+
// Determine context description
|
|
470
|
+
let contextDescription = 'unknown context';
|
|
471
|
+
if (inSecurityContext) {
|
|
472
|
+
contextDescription = 'security-sensitive function';
|
|
473
|
+
}
|
|
474
|
+
else if (inTestContext) {
|
|
475
|
+
contextDescription = 'test/mock data generation';
|
|
476
|
+
}
|
|
477
|
+
else if (inUIContext) {
|
|
478
|
+
contextDescription = 'UI/cosmetic usage';
|
|
479
|
+
}
|
|
480
|
+
else if (inBusinessLogicContext) {
|
|
481
|
+
contextDescription = 'non-security usage';
|
|
482
|
+
}
|
|
483
|
+
return {
|
|
484
|
+
inSecurityContext,
|
|
485
|
+
inTestContext,
|
|
486
|
+
inUIContext,
|
|
487
|
+
inBusinessLogicContext,
|
|
488
|
+
contextDescription,
|
|
489
|
+
};
|
|
490
|
+
}
|
|
491
|
+
/**
|
|
492
|
+
* Check if file is an animation/motion component based on file name
|
|
493
|
+
* Files with animation-related names typically use Math.random for visual effects
|
|
494
|
+
*/
|
|
495
|
+
function isAnimationFile(filePath) {
|
|
496
|
+
const animationPatterns = [
|
|
497
|
+
/animated[-_]/i, // animated-document-scanner.tsx
|
|
498
|
+
/[-_]animation/i, // document-animation.tsx
|
|
499
|
+
/motion[-_]/i, // motion-component.tsx
|
|
500
|
+
/[-_]motion/i, // scroll-motion.tsx
|
|
501
|
+
/particles?[-_]/i, // particles-background.tsx
|
|
502
|
+
/confetti/i, // confetti.tsx
|
|
503
|
+
/[-_]effect/i, // hover-effect.tsx
|
|
504
|
+
/transition[-_]/i, // transition-wrapper.tsx
|
|
505
|
+
/visual[-_]/i, // visual-effects.tsx
|
|
506
|
+
/canvas[-_]/i, // canvas-animation.tsx
|
|
507
|
+
];
|
|
508
|
+
return animationPatterns.some(p => p.test(filePath));
|
|
509
|
+
}
|
|
510
|
+
/**
|
|
511
|
+
* Check if Math.random() is used for animation/motion coordinates
|
|
512
|
+
* Common in animation libraries like framer-motion, react-spring, Three.js, etc.
|
|
513
|
+
*/
|
|
514
|
+
function isAnimationCoordinateUsage(lineContent, context) {
|
|
515
|
+
// Object property assignments for coordinates
|
|
516
|
+
const coordinatePatterns = [
|
|
517
|
+
/\bx:\s*Math\.random/i, // x: Math.random()
|
|
518
|
+
/\by:\s*Math\.random/i, // y: Math.random()
|
|
519
|
+
/\bz:\s*Math\.random/i, // z: Math.random()
|
|
520
|
+
/\bleft:\s*.*Math\.random/i, // left: Math.random()
|
|
521
|
+
/\btop:\s*.*Math\.random/i, // top: Math.random()
|
|
522
|
+
/\bright:\s*.*Math\.random/i, // right: Math.random()
|
|
523
|
+
/\bbottom:\s*.*Math\.random/i, // bottom: Math.random()
|
|
524
|
+
/\brotation:\s*.*Math\.random/i, // rotation: Math.random()
|
|
525
|
+
/\brotateX:\s*.*Math\.random/i, // rotateX: Math.random()
|
|
526
|
+
/\brotateY:\s*.*Math\.random/i, // rotateY: Math.random()
|
|
527
|
+
/\brotateZ:\s*.*Math\.random/i, // rotateZ: Math.random()
|
|
528
|
+
/\bscaleX?:\s*.*Math\.random/i, // scale/scaleX: Math.random()
|
|
529
|
+
/\bscaleY:\s*.*Math\.random/i, // scaleY: Math.random()
|
|
530
|
+
/\bopacity:\s*.*Math\.random/i, // opacity: Math.random()
|
|
531
|
+
/\bduration:\s*.*Math\.random/i, // duration: Math.random()
|
|
532
|
+
/\bdelay:\s*.*Math\.random/i, // delay: Math.random()
|
|
533
|
+
// 3D/Three.js specific patterns
|
|
534
|
+
/\boffset\s*=.*Math\.random/i, // offset = Math.random()
|
|
535
|
+
/useMemo\s*\(\s*\(\s*\)\s*=>\s*Math\.random/i, // useMemo(() => Math.random(), [])
|
|
536
|
+
/\bphase\s*[:=].*Math\.random/i, // phase: Math.random() or phase = Math.random()
|
|
537
|
+
/\bspeed\s*[:=].*Math\.random/i, // speed: Math.random()
|
|
538
|
+
/\bangle\s*[:=].*Math\.random/i, // angle: Math.random()
|
|
539
|
+
];
|
|
540
|
+
if (coordinatePatterns.some(p => p.test(lineContent))) {
|
|
541
|
+
return true;
|
|
542
|
+
}
|
|
543
|
+
// Motion/animation library context patterns
|
|
544
|
+
const motionLibraryPatterns = [
|
|
545
|
+
/framer-motion/i,
|
|
546
|
+
/react-spring/i,
|
|
547
|
+
/react-motion/i,
|
|
548
|
+
/gsap/i,
|
|
549
|
+
/animejs/i,
|
|
550
|
+
/popmotion/i,
|
|
551
|
+
/motion\.div/i,
|
|
552
|
+
/useSpring/i,
|
|
553
|
+
/useAnimation/i,
|
|
554
|
+
/animate\s*\(/i,
|
|
555
|
+
/keyframes/i,
|
|
556
|
+
// Three.js and React Three Fiber patterns
|
|
557
|
+
/three/i,
|
|
558
|
+
/useFrame/i,
|
|
559
|
+
/@react-three/i,
|
|
560
|
+
/Canvas/i, // React Three Fiber Canvas
|
|
561
|
+
/mesh/i, // Three.js mesh
|
|
562
|
+
/geometry/i, // Three.js geometry
|
|
563
|
+
/material/i, // Three.js material
|
|
564
|
+
];
|
|
565
|
+
return motionLibraryPatterns.some(p => p.test(context));
|
|
566
|
+
}
|
|
567
|
+
/**
|
|
568
|
+
* Check if Math.random() is used in a template placeholder generator context
|
|
569
|
+
* Template systems often use random generators for placeholder values
|
|
570
|
+
*
|
|
571
|
+
* Examples:
|
|
572
|
+
* const templates = { random: () => Math.random().toString() }
|
|
573
|
+
* random_hex: () => Math.random().toString(16)
|
|
574
|
+
* {{random}} placeholder generation
|
|
575
|
+
*/
|
|
576
|
+
function isTemplatePlaceholderGenerator(line, content, lineNumber, lines) {
|
|
577
|
+
const _lines = lines ?? content.split('\n');
|
|
578
|
+
const contextStart = Math.max(0, lineNumber - 10);
|
|
579
|
+
const contextEnd = Math.min(_lines.length, lineNumber + 5);
|
|
580
|
+
const context = _lines.slice(contextStart, contextEnd).join('\n');
|
|
581
|
+
const templatePatterns = [
|
|
582
|
+
/\{\{random\w*\}\}/i, // {{random}}, {{random_hex}}, etc.
|
|
583
|
+
/random:\s*\(\s*\)\s*=>\s*Math\.random/i, // random: () => Math.random()
|
|
584
|
+
/random_\w+:\s*\(\s*\)\s*=>/i, // random_int: () => ...
|
|
585
|
+
/placeholder.*random/i, // placeholder context
|
|
586
|
+
/templates?\s*[=:]\s*\{/i, // templates = { or template: {
|
|
587
|
+
/generatePlaceholder/i, // generatePlaceholder function
|
|
588
|
+
/placeholder\s*[:=]/i, // placeholder: or placeholder =
|
|
589
|
+
];
|
|
590
|
+
return templatePatterns.some(p => p.test(context) || p.test(line));
|
|
591
|
+
}
|
|
592
|
+
/**
|
|
593
|
+
* Check if Math.random() should be skipped entirely
|
|
594
|
+
* Returns true for seed files, test fixtures, captcha/puzzle, uuid, React keys, jitter/backoff, and pure cosmetic uses
|
|
595
|
+
*/
|
|
596
|
+
function shouldSkipMathRandom(content, filePath, lineNumber, options) {
|
|
597
|
+
// Seed/data generation files - skip entirely
|
|
598
|
+
if ((0, file_classifier_1.isSeedOrDataGenFile)(filePath)) {
|
|
599
|
+
return true;
|
|
600
|
+
}
|
|
601
|
+
// Animation/motion component files - skip entirely
|
|
602
|
+
// These use Math.random for visual effects, not security
|
|
603
|
+
if (isAnimationFile(filePath)) {
|
|
604
|
+
return true;
|
|
605
|
+
}
|
|
606
|
+
// Educational/intentional vulnerability files - skip entirely
|
|
607
|
+
// These include OWASP Juice Shop, intentionally-vulnerable examples, etc.
|
|
608
|
+
if ((0, file_classifier_1.isEducationalVulnerabilityFile)(filePath)) {
|
|
609
|
+
return true;
|
|
610
|
+
}
|
|
611
|
+
// Check for React key pattern - this is a common pattern to force re-renders
|
|
612
|
+
// It's not a security issue, just a way to reset component state
|
|
613
|
+
const lines = options?.parsed?.lines ?? content.split('\n');
|
|
614
|
+
const lineContent = lines[lineNumber] || '';
|
|
615
|
+
if (isReactKeyPattern(lineContent, filePath)) {
|
|
616
|
+
return true;
|
|
617
|
+
}
|
|
618
|
+
// Template placeholder generators - skip entirely
|
|
619
|
+
// These generate placeholder values for templates, not security tokens
|
|
620
|
+
if (isTemplatePlaceholderGenerator(lineContent, content, lineNumber, lines)) {
|
|
621
|
+
return true;
|
|
622
|
+
}
|
|
623
|
+
// Jitter/backoff/retry patterns - legitimate non-security use of randomness
|
|
624
|
+
// Used for network resilience, rate limiting, exponential backoff, etc.
|
|
625
|
+
if (isJitterOrBackoffContext(content, lineNumber, lines)) {
|
|
626
|
+
return true;
|
|
627
|
+
}
|
|
628
|
+
// Test files with test fixture patterns
|
|
629
|
+
if ((0, file_classifier_1.isTestOrMockFile)(filePath)) {
|
|
630
|
+
const line = lines[lineNumber];
|
|
631
|
+
// If in a test file and generating test data, skip
|
|
632
|
+
if (/\b(mock|fake|fixture|test)Data/i.test(line) ||
|
|
633
|
+
/\b(it|test|describe)\s*\(/.test(line)) {
|
|
634
|
+
return true;
|
|
635
|
+
}
|
|
636
|
+
}
|
|
637
|
+
// Pure cosmetic usage (CSS values, animations)
|
|
638
|
+
if (isCosmeticMathRandom(lineContent, content, lineNumber, lines)) {
|
|
639
|
+
// Additional check: if this is for animation/style, truly skip
|
|
640
|
+
const pureStylePatterns = [
|
|
641
|
+
/\.style\./,
|
|
642
|
+
/animation/i,
|
|
643
|
+
/transform/i,
|
|
644
|
+
/opacity/i,
|
|
645
|
+
/\brgb/i,
|
|
646
|
+
/\bhsl/i,
|
|
647
|
+
];
|
|
648
|
+
if (pureStylePatterns.some(p => p.test(lineContent))) {
|
|
649
|
+
return true;
|
|
650
|
+
}
|
|
651
|
+
}
|
|
652
|
+
// Animation coordinate usage (x, y, rotation, etc.)
|
|
653
|
+
// Get surrounding context for animation library detection
|
|
654
|
+
const contextStart = Math.max(0, lineNumber - 15);
|
|
655
|
+
const contextEnd = Math.min(lines.length, lineNumber + 5);
|
|
656
|
+
const animContext = lines.slice(contextStart, contextEnd).join('\n');
|
|
657
|
+
if (isAnimationCoordinateUsage(lineContent, animContext)) {
|
|
658
|
+
return true;
|
|
659
|
+
}
|
|
660
|
+
// Check function context for demo/seed/captcha/uuid functions
|
|
661
|
+
const functionName = (0, control_flow_1.extractFunctionContext)(content, lineNumber);
|
|
662
|
+
const functionIntent = classifyFunctionIntent(functionName);
|
|
663
|
+
// Skip demo, captcha, and uuid functions entirely - these are legitimate uses
|
|
664
|
+
if (functionIntent === 'demo' || functionIntent === 'captcha' || functionIntent === 'uuid') {
|
|
665
|
+
return true;
|
|
666
|
+
}
|
|
667
|
+
// Check for fallback pattern: crypto.randomUUID?.() ?? Math.random()
|
|
668
|
+
// When a secure primary method is used with Math.random as fallback,
|
|
669
|
+
// the code is safe (Math.random only runs in environments without crypto API)
|
|
670
|
+
const prevLines = lines.slice(Math.max(0, lineNumber - 2), lineNumber + 1).join(' ');
|
|
671
|
+
const multiLineFallbackPatterns = [
|
|
672
|
+
/crypto\??\.?\s*randomUUID\??\.?\s*\(\s*\)\s*\?\?/i, // crypto.randomUUID() ??
|
|
673
|
+
/globalThis\.crypto\??\.?\s*randomUUID\??\.?\s*\(/i, // globalThis.crypto?.randomUUID?.()
|
|
674
|
+
/window\.crypto\??\.?\s*randomUUID\??\.?\s*\(/i, // window.crypto?.randomUUID?.()
|
|
675
|
+
/\?\.\s*randomUUID\??\.?\s*\(\s*\)\s*\?\?/i, // ?.randomUUID?.() ??
|
|
676
|
+
/crypto\??\.?\s*getRandomValues\s*\(/i, // crypto.getRandomValues()
|
|
677
|
+
/randomUUID\??\.?\s*\(\s*\)\s*\?\?/i, // randomUUID?.() ?? (generic)
|
|
678
|
+
];
|
|
679
|
+
if (multiLineFallbackPatterns.some(p => p.test(prevLines))) {
|
|
680
|
+
return true; // Skip - Math.random is only a fallback for missing crypto API
|
|
681
|
+
}
|
|
682
|
+
return false;
|
|
683
|
+
}
|
|
684
|
+
//# sourceMappingURL=math-random.js.map
|