@oculum/scanner 1.0.11 → 1.0.13

package/dist/detect/structural/risky-imports.js

@@ -0,0 +1,168 @@
+"use strict";
+/**
+ * Layer 2: Risky Import/Package Analysis
+ * Detects imports of packages known to have security concerns or deprecated
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectRiskyImports = detectRiskyImports;
+const file_classifier_1 = require("../../parse/file-classifier");
+const BASE_CONFIDENCE = 0.20;
+const RISKY_PACKAGES = [
+    // Known vulnerable or deprecated packages
+    {
+        name: 'request (deprecated)',
+        pattern: /require\s*\(\s*['"]request['"]\s*\)|from\s+['"]request['"]/gi,
+        severity: 'medium',
+        description: 'The "request" package is deprecated and no longer maintained',
+        suggestedFix: 'Migrate to fetch, axios, or node-fetch',
+    },
+    {
+        name: 'node-uuid (deprecated)',
+        pattern: /require\s*\(\s*['"]node-uuid['"]\s*\)|from\s+['"]node-uuid['"]/gi,
+        severity: 'low',
+        description: 'node-uuid is deprecated in favor of uuid package',
+        suggestedFix: 'Use the "uuid" package instead',
+    },
+    // Packages with known security issues
+    {
+        name: 'lodash (full import)',
+        pattern: /require\s*\(\s*['"]lodash['"]\s*\)|import\s+\*?\s*(?:as\s+)?\w+\s+from\s+['"]lodash['"]/gi,
+        severity: 'low',
+        description: 'Full lodash import increases bundle size and attack surface',
+        suggestedFix: 'Import specific functions: import get from "lodash/get"',
+    },
+    {
+        name: 'moment.js (deprecated)',
+        pattern: /require\s*\(\s*['"]moment['"]\s*\)|from\s+['"]moment['"]/gi,
+        severity: 'low',
+        description: 'Moment.js is in maintenance mode, consider alternatives',
+        suggestedFix: 'Use date-fns, dayjs, or native Intl APIs',
+    },
+    // Security-focused sandbox packages - info only (these are used for security, not risky)
+    {
+        name: 'vm2 (sandbox)',
+        pattern: /require\s*\(\s*['"]vm2['"]\s*\)|from\s+['"]vm2['"]/gi,
+        severity: 'info',
+        description: 'vm2 is a sandboxing library. While it has had sandbox escape vulnerabilities historically, using it is generally safer than running untrusted code directly. Keep vm2 updated.',
+        suggestedFix: 'Keep vm2 updated to the latest version. For maximum isolation, consider isolated-vm or running in a separate process.',
+    },
+    {
+        name: 'serialize-javascript (RCE risk)',
+        pattern: /require\s*\(\s*['"]serialize-javascript['"]\s*\)|from\s+['"]serialize-javascript['"]/gi,
+        severity: 'medium',
+        description: 'serialize-javascript can be dangerous if output is not properly handled',
+        suggestedFix: 'Ensure serialized output is not directly executed or use JSON.stringify',
+    },
+    // Crypto-related risky imports
+    {
+        name: 'crypto-js (outdated patterns)',
+        pattern: /require\s*\(\s*['"]crypto-js['"]\s*\)|from\s+['"]crypto-js['"]/gi,
+        severity: 'low',
+        description: 'crypto-js may use outdated crypto patterns',
+        suggestedFix: 'Prefer Node.js built-in crypto module or Web Crypto API',
+    },
+    {
+        name: 'bcrypt-nodejs (deprecated)',
+        pattern: /require\s*\(\s*['"]bcrypt-nodejs['"]\s*\)|from\s+['"]bcrypt-nodejs['"]/gi,
+        severity: 'medium',
+        description: 'bcrypt-nodejs is deprecated and unmaintained',
+        suggestedFix: 'Use bcrypt or bcryptjs instead',
+    },
+    // SQL/Database risky patterns
+    {
+        name: 'mysql (prefer mysql2)',
+        pattern: /require\s*\(\s*['"]mysql['"]\s*\)|from\s+['"]mysql['"]/gi,
+        severity: 'low',
+        description: 'mysql package is less maintained than mysql2',
+        suggestedFix: 'Consider using mysql2 for better security and performance',
+    },
+    // Python risky imports
+    {
+        name: 'pickle (unsafe deserialization)',
+        pattern: /^import\s+pickle|^from\s+pickle\s+import/gim,
+        severity: 'high',
+        description: 'pickle can execute arbitrary code during deserialization',
+        suggestedFix: 'Use JSON or other safe serialization formats for untrusted data',
+    },
+    {
+        name: 'yaml unsafe load',
+        pattern: /yaml\.load\s*\([^)]*\)(?!.*Loader)/gi,
+        severity: 'high',
+        description: 'yaml.load without Loader parameter can execute arbitrary code',
+        suggestedFix: 'Use yaml.safe_load() or specify Loader=yaml.SafeLoader',
+    },
+    {
+        name: 'subprocess shell=True',
+        pattern: /subprocess\.(call|run|Popen|check_output)\s*\([^)]*shell\s*=\s*True/gi,
+        severity: 'high',
+        description: 'subprocess with shell=True is vulnerable to shell injection',
+        suggestedFix: 'Use shell=False and pass arguments as a list',
+    },
+    // Telemetry/tracking packages (privacy concern)
+    {
+        name: 'Analytics package',
+        pattern: /require\s*\(\s*['"](analytics|segment|mixpanel|amplitude)['"]\s*\)|from\s+['"](analytics|segment|mixpanel|amplitude)['"]/gi,
+        severity: 'low',
+        description: 'Analytics package detected - ensure user consent is obtained',
+        suggestedFix: 'Implement proper consent mechanisms for user tracking',
+    },
+    // Outdated/vulnerable web frameworks
+    {
+        name: 'express-jwt (CVE history)',
+        pattern: /require\s*\(\s*['"]express-jwt['"]\s*\)|from\s+['"]express-jwt['"]/gi,
+        severity: 'medium',
+        description: 'express-jwt has had security vulnerabilities - ensure latest version',
+        suggestedFix: 'Update to latest version and consider jose or jsonwebtoken directly',
+    },
+    // Dangerous native modules
+    {
+        name: 'node-gyp native module',
+        pattern: /require\s*\(\s*['"]node-gyp['"]\s*\)|from\s+['"]node-gyp['"]/gi,
+        severity: 'low',
+        description: 'Native modules can introduce platform-specific vulnerabilities',
+        suggestedFix: 'Audit native dependencies and keep them updated',
+    },
+];
+// Check if line is a comment
+function isComment(line) {
+    const trimmed = line.trim();
+    return (trimmed.startsWith('//') ||
+        trimmed.startsWith('#') ||
+        trimmed.startsWith('*') ||
+        trimmed.startsWith('/*'));
+}
+function detectRiskyImports(content, filePath, options) {
+    const vulnerabilities = [];
+    // Skip scanner/fixture files to avoid self-detection
+    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    lines.forEach((line, index) => {
+        // Skip comment lines
+        if (isComment(line))
+            return;
+        for (const pkg of RISKY_PACKAGES) {
+            const regex = new RegExp(pkg.pattern.source, pkg.pattern.flags);
+            if (regex.test(line)) {
+                vulnerabilities.push({
+                    id: `risky-import-${filePath}-${index + 1}-${pkg.name}`,
+                    filePath,
+                    lineNumber: index + 1,
+                    lineContent: line.trim(),
+                    severity: pkg.severity,
+                    category: 'suspicious_package',
+                    title: `Risky package: ${pkg.name}`,
+                    description: pkg.description,
+                    suggestedFix: pkg.suggestedFix,
+                    confidence: 'high',
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 2,
+                    source: 'structural',
+                });
+                break; // Only report once per line
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=risky-imports.js.map

package/dist/detect/structural/risky-imports.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"risky-imports.js","sourceRoot":"","sources":["../../../src/detect/structural/risky-imports.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAwJH,gDAyCC;AA7LD,iEAAoE;AAEpE,MAAM,eAAe,GAAG,IAAI,CAAA;AAU5B,MAAM,cAAc,GAAmB;IACrC,0CAA0C;IAC1C;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,wCAAwC;KACvD;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,kEAAkE;QAC3E,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,kDAAkD;QAC/D,YAAY,EAAE,gCAAgC;KAC/C;IAED,sCAAsC;IACtC;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,2FAA2F;QACpG,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE,yDAAyD;KACxE;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,4DAA4D;QACrE,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,yDAAyD;QACtE,YAAY,EAAE,0CAA0C;KACzD;IAED,yFAAyF;IACzF;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,sDAAsD;QAC/D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,gLAAgL;QAC7L,YAAY,EAAE,uHAAuH;KACtI;IACD;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,wFAAwF;QACjG,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,yEAAyE;QACtF,YAAY,EAAE,yEAAyE;KACxF;IAED,+BAA+B;IAC/B;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,kEAAkE;QAC3E,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,yDAAyD;KACxE;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,0EAA0E;QACnF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,8CAA8C;QAC3D,YAAY,EAAE,gCAAgC;KAC/C;IAED,8BAA8B;IAC9B;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,0DAA0D;QACnE,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,8CAA8C;QAC3D,YAAY,EAAE,2DAA2D;KAC1E;IAED,uBAAuB;IACvB;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0DAA0D;QACvE,YAAY,EAAE,iEAAiE;KAChF;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,+DAA+D;QAC5E,YAAY,EAAE,wDAAwD;KACvE;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE,8CAA8C;KAC7D;IAED,gDAAgD;IAChD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,4HAA4H;QACrI,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,uDAAuD;KACtE;IAED,qCAAqC;IACrC;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,sEAAsE;QAC/E,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sEAAsE;QACnF,YAAY,EAAE,qEAAqE;KACpF;IAED,2BAA2B;IAC3B;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,gEAAgE;QAC7E,YAAY,EAAE,iDAAiD;KAChE;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,qBAAqB;QACrB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAE/D,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,gBAAgB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,EAAE;oBACvD,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,QAAQ,EAAE,oBAAoB;oBAC9B,KAAK,EAAE,kBAAkB,GAAG,CAAC,IAAI,EAAE;oBACnC,WAAW,EAAE,GAAG,CAAC,WAAW;oBAC5B,YAAY,EAAE,GAAG,CAAC,YAAY;oBAC9B,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;iBAC5B,CAAC,CAAA;gBACF,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/structural/security-headers.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Layer 2: Security Headers Detector
+ * Detects missing HTTP security headers in server configurations
+ *
+ * OWASP A02:2021 - Cryptographic Failures / Security Misconfiguration
+ * CWE-693: Protection Mechanism Failure
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+interface SecurityHeadersOptions {
+    parsed?: ParsedFile;
+}
+/**
+ * Detect missing security headers in server configurations
+ */
+export declare function detectSecurityHeaders(content: string, filePath: string, options?: SecurityHeadersOptions): Vulnerability[];
+export {};
+//# sourceMappingURL=security-headers.d.ts.map

package/dist/detect/structural/security-headers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../../../src/detect/structural/security-headers.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAQ1D,UAAU,sBAAsB;IAC9B,MAAM,CAAC,EAAE,UAAU,CAAA;CACpB;AAwCD;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,sBAAsB,GAC/B,aAAa,EAAE,CAoKjB"}

package/dist/detect/structural/security-headers.js

@@ -0,0 +1,196 @@
+"use strict";
+/**
+ * Layer 2: Security Headers Detector
+ * Detects missing HTTP security headers in server configurations
+ *
+ * OWASP A02:2021 - Cryptographic Failures / Security Misconfiguration
+ * CWE-693: Protection Mechanism Failure
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectSecurityHeaders = detectSecurityHeaders;
+const file_classifier_1 = require("../../parse/file-classifier");
+const BASE_CONFIDENCE = 0.35;
+/**
+ * Check if a file is client-side (not a server file)
+ */
+function isClientSideFile(content, filePath) {
+    // Explicit 'use client' directive
+    if (/['"]use client['"]/.test(content))
+        return true;
+    // Client-side file paths
+    const clientPatterns = [
+        /\/components\//i,
+        /\/hooks\//i,
+        /\/pages\/(?!api\/)/i, // pages/ but not pages/api/
+        /\.client\.(ts|js|tsx|jsx)$/i,
+    ];
+    // Only apply path heuristics if no server indicators
+    if (clientPatterns.some(p => p.test(filePath))) {
+        // Check for server indicators that override
+        const hasServerIndicators = content.includes('express()') ||
+            content.includes("require('express')") ||
+            content.includes('from \'express\'') ||
+            content.includes('from "express"') ||
+            content.includes('createServer') ||
+            /['"]use server['"]/.test(content);
+        if (!hasServerIndicators)
+            return true;
+    }
+    return false;
+}
+/**
+ * Check if a file is a Next.js config file
+ */
+function isNextConfig(filePath) {
+    return /next\.config\.(m?js|ts)$/.test(filePath);
+}
+/**
+ * Detect missing security headers in server configurations
+ */
+function detectSecurityHeaders(content, filePath, options) {
+    const vulnerabilities = [];
+    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    if ((0, file_classifier_1.isTestOrMockFile)(filePath))
+        return vulnerabilities;
+    if (isClientSideFile(content, filePath))
+        return vulnerabilities;
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    // --- Check 1: Express without helmet ---
+    const hasExpress = content.includes('express()') ||
+        /require\s*\(\s*['"]express['"]\s*\)/.test(content) ||
+        /from\s+['"]express['"]/.test(content);
+    if (hasExpress) {
+        const hasHelmet = /require\s*\(\s*['"]helmet['"]\s*\)/.test(content) ||
+            /from\s+['"]helmet['"]/.test(content) ||
+            /require\s*\(\s*['"]@fastify\/helmet['"]\s*\)/.test(content) ||
+            /from\s+['"]@fastify\/helmet['"]/.test(content);
+        if (!hasHelmet) {
+            // Find the line where express() is called
+            let expressLine = 0;
+            let expressContent = '';
+            for (let i = 0; i < lines.length; i++) {
+                if (/express\s*\(\s*\)/.test(lines[i])) {
+                    expressLine = i + 1;
+                    expressContent = lines[i].trim();
+                    break;
+                }
+            }
+            if (expressLine > 0) {
+                vulnerabilities.push({
+                    id: `secheader-${filePath}-express-no-helmet`,
+                    filePath,
+                    lineNumber: expressLine,
+                    lineContent: expressContent,
+                    severity: 'medium',
+                    category: 'missing_security_headers',
+                    title: 'Express app without helmet security headers',
+                    description: 'Express application does not use helmet middleware. This leaves the app without critical HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).',
+                    suggestedFix: 'Install and add helmet middleware: npm install helmet && app.use(helmet())',
+                    confidence: 'high',
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 2,
+                    source: 'structural',
+                    requiresAIValidation: true,
+                });
+            }
+        }
+        else {
+            // --- Check 2: Helmet with CSP disabled ---
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                if (/contentSecurityPolicy\s*:\s*false/.test(line)) {
+                    vulnerabilities.push({
+                        id: `secheader-${filePath}-${i + 1}-csp-disabled`,
+                        filePath,
+                        lineNumber: i + 1,
+                        lineContent: line.trim(),
+                        severity: 'low',
+                        category: 'missing_security_headers',
+                        title: 'Helmet CSP disabled',
+                        description: 'Content Security Policy is explicitly disabled in helmet configuration. CSP is a critical defense against XSS attacks.',
+                        suggestedFix: 'Configure a Content Security Policy instead of disabling it: helmet({ contentSecurityPolicy: { directives: { ... } } })',
+                        confidence: 'high',
+                        baseConfidence: BASE_CONFIDENCE,
+                        layer: 2,
+                        source: 'structural',
+                    });
+                }
+            }
+        }
+    }
+    // --- Check 3: Next.js config missing headers ---
+    if (isNextConfig(filePath)) {
+        const hasHeadersExport = /headers\s*\(\s*\)/.test(content) ||
+            /headers\s*:\s*(?:async\s*)?\(?\s*\)?\s*=>/.test(content) ||
+            /async\s+headers\s*\(\s*\)/.test(content);
+        if (!hasHeadersExport) {
+            vulnerabilities.push({
+                id: `secheader-${filePath}-nextjs-no-headers`,
+                filePath,
+                lineNumber: 1,
+                lineContent: lines[0]?.trim() || '',
+                severity: 'medium',
+                category: 'missing_security_headers',
+                title: 'Next.js config missing security headers',
+                description: 'next.config does not export a headers() function. Security headers (CSP, HSTS, X-Frame-Options) should be configured in Next.js config or middleware.',
+                suggestedFix: 'Add a headers() function to next.config.js that returns security headers array',
+                confidence: 'medium',
+                baseConfidence: BASE_CONFIDENCE,
+                layer: 2,
+                source: 'structural',
+                requiresAIValidation: true,
+            });
+        }
+    }
+    // --- Check 4: Server setting some headers but missing critical ones ---
+    // Only check files that explicitly set response headers
+    const setsHeaders = /res\.setHeader\s*\(/.test(content) ||
+        /response\.setHeader\s*\(/.test(content) ||
+        /res\.set\s*\(/.test(content) ||
+        /response\.headers\.set\s*\(/.test(content);
+    if (setsHeaders && !hasExpress) {
+        const criticalHeaders = [
+            { name: 'Content-Security-Policy', pattern: /content-security-policy/i },
+            { name: 'Strict-Transport-Security', pattern: /strict-transport-security/i },
+            { name: 'X-Content-Type-Options', pattern: /x-content-type-options/i },
+            { name: 'X-Frame-Options', pattern: /x-frame-options/i },
+        ];
+        const missingHeaders = criticalHeaders.filter(h => !h.pattern.test(content));
+        // Only flag if file sets SOME headers but omits critical ones
+        const presentHeaders = criticalHeaders.filter(h => h.pattern.test(content));
+        if (presentHeaders.length > 0 && missingHeaders.length > 0) {
+            // Find a line where headers are being set for reporting
+            let headerLine = 0;
+            let headerContent = '';
+            for (let i = 0; i < lines.length; i++) {
+                if (/(?:res|response)\.(?:setHeader|set|headers\.set)\s*\(/.test(lines[i])) {
+                    headerLine = i + 1;
+                    headerContent = lines[i].trim();
+                    break;
+                }
+            }
+            if (headerLine > 0) {
+                const missing = missingHeaders.map(h => h.name).join(', ');
+                vulnerabilities.push({
+                    id: `secheader-${filePath}-${headerLine}-missing-headers`,
+                    filePath,
+                    lineNumber: headerLine,
+                    lineContent: headerContent,
+                    severity: 'low',
+                    category: 'missing_security_headers',
+                    title: 'Incomplete security headers',
+                    description: `Server sets some response headers but is missing: ${missing}. Consider adding these critical security headers.`,
+                    suggestedFix: `Add missing security headers: ${missing}`,
+                    confidence: 'medium',
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 2,
+                    source: 'structural',
+                    requiresAIValidation: true,
+                });
+            }
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=security-headers.js.map

package/dist/detect/structural/security-headers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../../../src/detect/structural/security-headers.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAwDH,sDAwKC;AA5ND,iEAGoC;AAEpC,MAAM,eAAe,GAAG,IAAI,CAAA;AAM5B;;GAEG;AACH,SAAS,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IACzD,kCAAkC;IAClC,IAAI,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAEnD,yBAAyB;IACzB,MAAM,cAAc,GAAG;QACrB,iBAAiB;QACjB,YAAY;QACZ,qBAAqB,EAAE,4BAA4B;QACnD,6BAA6B;KAC9B,CAAA;IAED,qDAAqD;IACrD,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC/C,4CAA4C;QAC5C,MAAM,mBAAmB,GACvB,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC7B,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC;YACtC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;YACpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAClC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;YAChC,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QACpC,IAAI,CAAC,mBAAmB;YAAE,OAAO,IAAI,CAAA;IACvC,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,QAAgB;IACpC,OAAO,0BAA0B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;AAClD,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CACnC,OAAe,EACf,QAAgB,EAChB,OAAgC;IAEhC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAC5D,IAAI,IAAA,kCAAgB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IACtD,IAAI,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE/D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,0CAA0C;IAC1C,MAAM,UAAU,GACd,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC7B,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC;QACnD,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAExC,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,SAAS,GACb,oCAAoC,CAAC,IAAI,CAAC,OAAO,CAAC;YAClD,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC;YACrC,8CAA8C,CAAC,IAAI,CAAC,OAAO,CAAC;YAC5D,iCAAiC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAEjD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,0CAA0C;YAC1C,IAAI,WAAW,GAAG,CAAC,CAAA;YACnB,IAAI,cAAc,GAAG,EAAE,CAAA;YACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvC,WAAW,GAAG,CAAC,GAAG,CAAC,CAAA;oBACnB,cAAc,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;oBAChC,MAAK;gBACP,CAAC;YACH,CAAC;YAED,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;gBACpB,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,aAAa,QAAQ,oBAAoB;oBAC7C,QAAQ;oBACR,UAAU,EAAE,WAAW;oBACvB,WAAW,EAAE,cAAc;oBAC3B,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,0BAA0B;oBACpC,KAAK,EAAE,6CAA6C;oBACpD,WAAW,EACT,sKAAsK;oBACxK,YAAY,EAAE,4EAA4E;oBAC1F,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;oBAC3B,oBAAoB,EAAE,IAAI;iBAC3B,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,4CAA4C;YAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;gBACrB,IAAI,mCAAmC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnD,eAAe,CAAC,IAAI,CAAC;wBACnB,EAAE,EAAE,aAAa,QAAQ,IAAI,CAAC,GAAG,CAAC,eAAe;wBACjD,QAAQ;wBACR,UAAU,EAAE,CAAC,GAAG,CAAC;wBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,QAAQ,EAAE,KAAK;wBACf,QAAQ,EAAE,0BAA0B;wBACpC,KAAK,EAAE,qBAAqB;wBAC5B,WAAW,EACT,wHAAwH;wBAC1H,YAAY,EACV,yHAAyH;wBAC3H,UAAU,EAAE,MAAM;wBAClB,cAAc,EAAE,eAAe;wBAC/B,KAAK,EAAE,CAAC;wBACZ,MAAM,EAAE,YAAqB;qBAC1B,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,IAAI,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,MAAM,gBAAgB,GACpB,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC;YACjC,2CAA2C,CAAC,IAAI,CAAC,OAAO,CAAC;YACzD,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAE3C,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,aAAa,QAAQ,oBAAoB;gBAC7C,QAAQ;gBACR,UAAU,EAAE,CAAC;gBACb,WAAW,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;gBACnC,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,0BAA0B;gBACpC,KAAK,EAAE,yCAAyC;gBAChD,WAAW,EACT,uJAAuJ;gBACzJ,YAAY,EACV,gFAAgF;gBAClF,UAAU,EAAE,QAAQ;gBACpB,cAAc,EAAE,eAAe;gBAC/B,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,YAAqB;gBAC7B,oBAAoB,EAAE,IAAI;aAC3B,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,wDAAwD;IACxD,MAAM,WAAW,GACf,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC;QACnC,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC;QACxC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;QAC7B,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;IAE7C,IAAI,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;QAC/B,MAAM,eAAe,GAAG;YACtB,EAAE,IAAI,EAAE,yBAAyB,EAAE,OAAO,EAAE,0BAA0B,EAAE;YACxE,EAAE,IAAI,EAAE,2BAA2B,EAAE,OAAO,EAAE,4BAA4B,EAAE;YAC5E,EAAE,IAAI,EAAE,wBAAwB,EAAE,OAAO,EAAE,yBAAyB,EAAE;YACtE,EAAE,IAAI,EAAE,iBAAiB,EAAE,OAAO,EAAE,kBAAkB,EAAE;SACzD,CAAA;QAED,MAAM,cAAc,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAE5E,8DAA8D;QAC9D,MAAM,cAAc,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;QAC3E,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3D,wDAAwD;YACxD,IAAI,UAAU,GAAG,CAAC,CAAA;YAClB,IAAI,aAAa,GAAG,EAAE,CAAA;YACtB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,IAAI,uDAAuD,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC3E,UAAU,GAAG,CAAC,GAAG,CAAC,CAAA;oBAClB,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;oBAC/B,MAAK;gBACP,CAAC;YACH,CAAC;YAED,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;gBACnB,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;gBAC1D,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,aAAa,QAAQ,IAAI,UAAU,kBAAkB;oBACzD,QAAQ;oBACR,UAAU,EAAE,UAAU;oBACtB,WAAW,EAAE,aAAa;oBAC1B,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,0BAA0B;oBACpC,KAAK,EAAE,6BAA6B;oBACpC,WAAW,EAAE,qDAAqD,OAAO,oDAAoD;oBAC7H,YAAY,EAAE,iCAAiC,OAAO,EAAE;oBACxD,UAAU,EAAE,QAAQ;oBACpB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,YAAqB;oBAC3B,oBAAoB,EAAE,IAAI;iBAC3B,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/structural/ssrf-detection.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Layer 2: SSRF (Server-Side Request Forgery) Detector
+ * Detects user input flowing to server-side HTTP request sinks
+ *
+ * OWASP A01:2021 - Broken Access Control / A10:2021 - SSRF
+ * CWE-918: Server-Side Request Forgery
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+interface SSRFOptions {
+    parsed?: ParsedFile;
+}
+/**
+ * Detect SSRF patterns in server-side code
+ */
+export declare function detectSSRFPatterns(content: string, filePath: string, options?: SSRFOptions): Vulnerability[];
+export {};
+//# sourceMappingURL=ssrf-detection.d.ts.map

package/dist/detect/structural/ssrf-detection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf-detection.d.ts","sourceRoot":"","sources":["../../../src/detect/structural/ssrf-detection.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAS1D,UAAU,WAAW;IACnB,MAAM,CAAC,EAAE,UAAU,CAAA;CACpB;AA6CD;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,WAAW,GACpB,aAAa,EAAE,CAmOjB"}