@oculum/scanner 1.0.11 → 1.0.13

package/dist/layer2/ssrf-detection.js

@@ -0,0 +1,252 @@
+"use strict";
+/**
+ * Layer 2: SSRF (Server-Side Request Forgery) Detector
+ * Detects user input flowing to server-side HTTP request sinks
+ *
+ * OWASP A01:2021 - Broken Access Control / A10:2021 - SSRF
+ * CWE-918: Server-Side Request Forgery
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectSSRFPatterns = detectSSRFPatterns;
+const context_helpers_1 = require("../utils/context-helpers");
+/** User input source patterns */
+const USER_INPUT_PATTERN = /(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/;
+/** Check if file is client-side (SSRF is server-only) */
+function isClientSideFile(content, filePath) {
+    if (/['"]use client['"]/.test(content))
+        return true;
+    // .tsx/.jsx in components dir without server indicators
+    if (/\/components\//.test(filePath) && !content.includes('express()') && !/['"]use server['"]/.test(content)) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Check surrounding context for SSRF mitigations
+ */
+function hasSSRFMitigation(lines, lineIndex, windowSize = 15) {
+    const start = Math.max(0, lineIndex - windowSize);
+    const end = Math.min(lines.length, lineIndex + windowSize + 1);
+    const context = lines.slice(start, end).join('\n');
+    // Allowlist validation
+    if (/(?:allowed|safe|valid|permitted)(?:Hosts|Domains|Urls|Origins)/i.test(context))
+        return true;
+    if (/allowList|allowlist|whitelist|whiteList/.test(context))
+        return true;
+    // URL validation with host/origin check
+    if (/new\s+URL\(/.test(context) && /\.(?:hostname|host|origin)/.test(context))
+        return true;
+    // IP range checking
+    if (/isPrivateIP|isPrivate|isInternal|isLocalhost/i.test(context))
+        return true;
+    if (/(?:127\.0\.0\.1|10\.\d|192\.168\.|169\.254\.)/.test(context) && /(?:block|reject|deny|forbidden)/i.test(context))
+        return true;
+    // Environment variable source
+    if (/process\.env\./i.test(context)) {
+        // Check if the URL comes from env var, not just any env var in context
+        const envLineCount = lines.slice(start, end).filter(l => /process\.env\./.test(l)).length;
+        const userInputCount = lines.slice(start, end).filter(l => USER_INPUT_PATTERN.test(l)).length;
+        if (envLineCount > 0 && userInputCount <= 1)
+            return false; // Don't suppress just because env vars exist
+    }
+    return false;
+}
+/**
+ * Detect SSRF patterns in server-side code
+ */
+function detectSSRFPatterns(content, filePath, options) {
+    const vulnerabilities = [];
+    if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    if ((0, context_helpers_1.isTestOrMockFile)(filePath))
+        return vulnerabilities;
+    if (isClientSideFile(content, filePath))
+        return vulnerabilities;
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    // ========== Pass 1: Direct taint — user input in HTTP sinks ==========
+    const DIRECT_SSRF_PATTERNS = [
+        // fetch(req.body.url), fetch(req.query.endpoint)
+        /(?:fetch|got|undici\.request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/,
+        // axios.get(req.body.url)
+        /axios\.(?:get|post|put|delete|patch|head|options|request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
+        // http.get(req.body.url), https.get(...)
+        /https?\.(?:get|request)\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
+        // got(req.body.url)
+        /got\s*\(\s*(?:req|request|ctx\.request)\.(?:body|query|params)/,
+        // Python: requests.get(request.args.get('url'))
+        /requests\.(?:get|post|put|delete|patch|head|options)\s*\(\s*(?:request\.(?:args|form|json|data)\.get|request\.(?:args|form|json|data)\[)/,
+        // Python: urllib.request.urlopen(request.args.get('url'))
+        /urllib\.request\.urlopen\s*\(\s*(?:request\.(?:args|form|json))/,
+    ];
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if ((0, context_helpers_1.isComment)(line))
+            continue;
+        for (const pattern of DIRECT_SSRF_PATTERNS) {
+            if (pattern.test(line)) {
+                if (hasSSRFMitigation(lines, i))
+                    continue;
+                vulnerabilities.push({
+                    id: `ssrf-${filePath}-${i + 1}-direct`,
+                    filePath,
+                    lineNumber: i + 1,
+                    lineContent: line.trim(),
+                    severity: 'high',
+                    category: 'ssrf',
+                    title: 'SSRF: User input in HTTP request',
+                    description: 'User-controlled input flows directly to a server-side HTTP request. An attacker could force the server to make requests to internal services, cloud metadata endpoints (169.254.169.254), or other sensitive resources.',
+                    suggestedFix: 'Validate the URL against an allowlist of permitted domains. Block requests to private IP ranges and cloud metadata endpoints.',
+                    confidence: 'high',
+                    layer: 2,
+                });
+                break;
+            }
+        }
+    }
+    // ========== Pass 2: Open redirect ==========
+    const OPEN_REDIRECT_PATTERNS = [
+        // res.redirect(req.query.next)
+        /res\.redirect\s*\(\s*(?:req|request)\.(?:body|query|params)(?:\.\w+|\[)/,
+        // redirect(req.query.returnTo)
+        /(?<!\w)redirect\s*\(\s*(?:req|request)\.(?:body|query|params)(?:\.\w+|\[)/,
+    ];
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if ((0, context_helpers_1.isComment)(line))
+            continue;
+        for (const pattern of OPEN_REDIRECT_PATTERNS) {
+            if (pattern.test(line)) {
+                if (hasSSRFMitigation(lines, i))
+                    continue;
+                vulnerabilities.push({
+                    id: `ssrf-${filePath}-${i + 1}-redirect`,
+                    filePath,
+                    lineNumber: i + 1,
+                    lineContent: line.trim(),
+                    severity: 'high',
+                    category: 'ssrf',
+                    title: 'Open redirect: User input in redirect',
+                    description: 'User-controlled input is used in a server redirect. An attacker could craft a URL that redirects users to a malicious site for phishing.',
+                    suggestedFix: 'Validate redirect URLs against an allowlist of permitted paths or domains. Use relative paths instead of absolute URLs.',
+                    confidence: 'high',
+                    layer: 2,
+                });
+                break;
+            }
+        }
+    }
+    // ========== Pass 3: Variable-mediated taint ==========
+    // Track: const url = req.body.url; ... fetch(url)
+    const taintedVars = new Map(); // varName -> lineIndex
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if ((0, context_helpers_1.isComment)(line))
+            continue;
+        // Detect taint sources: const/let/var url = req.body.url
+        const taintMatch = line.match(/(?:const|let|var)\s+(\w+)\s*=\s*(?:req|request|ctx\.request)\.(?:body|query|params|headers)(?:\.\w+|\[)/);
+        if (taintMatch) {
+            taintedVars.set(taintMatch[1], i);
+            continue;
+        }
+        // Also detect destructuring: const { url } = req.body
+        const destructMatch = line.match(/(?:const|let|var)\s*\{([^}]+)\}\s*=\s*(?:req|request|ctx\.request)\.(?:body|query|params)/);
+        if (destructMatch) {
+            const vars = destructMatch[1].split(',').map(v => v.trim().split(':')[0].trim());
+            for (const v of vars) {
+                if (v)
+                    taintedVars.set(v, i);
+            }
+            continue;
+        }
+        // Check if tainted variable flows to HTTP sink (within 20 lines)
+        if (taintedVars.size > 0) {
+            const httpSinkPattern = /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got|https?\.(?:get|request)|undici\.request)\s*\(/;
+            if (httpSinkPattern.test(line)) {
+                for (const [varName, sourceLineIdx] of taintedVars) {
+                    if (i - sourceLineIdx <= 20 && i - sourceLineIdx > 0) {
+                        // Check if the variable is used in this sink call
+                        const varPattern = new RegExp(`\\b${varName}\\b`);
+                        if (varPattern.test(line)) {
+                            if (hasSSRFMitigation(lines, i))
+                                continue;
+                            vulnerabilities.push({
+                                id: `ssrf-${filePath}-${i + 1}-mediated`,
+                                filePath,
+                                lineNumber: i + 1,
+                                lineContent: line.trim(),
+                                severity: 'medium',
+                                category: 'ssrf',
+                                title: 'SSRF: Variable-mediated user input in HTTP request',
+                                description: `User input assigned to variable '${varName}' (line ${sourceLineIdx + 1}) flows to an HTTP request sink. An attacker could control the request destination.`,
+                                suggestedFix: 'Validate the URL against an allowlist before making the request. Block private IP ranges.',
+                                confidence: 'medium',
+                                layer: 2,
+                                requiresAIValidation: true,
+                            });
+                            break;
+                        }
+                    }
+                }
+            }
+            // Check for redirect sinks too
+            const redirectSinkPattern = /(?:res\.redirect|redirect)\s*\(/;
+            if (redirectSinkPattern.test(line)) {
+                for (const [varName, sourceLineIdx] of taintedVars) {
+                    if (i - sourceLineIdx <= 20 && i - sourceLineIdx > 0) {
+                        const varPattern = new RegExp(`\\b${varName}\\b`);
+                        if (varPattern.test(line)) {
+                            if (hasSSRFMitigation(lines, i))
+                                continue;
+                            vulnerabilities.push({
+                                id: `ssrf-${filePath}-${i + 1}-redirect-mediated`,
+                                filePath,
+                                lineNumber: i + 1,
+                                lineContent: line.trim(),
+                                severity: 'medium',
+                                category: 'ssrf',
+                                title: 'Open redirect: Variable-mediated user input',
+                                description: `User input assigned to variable '${varName}' (line ${sourceLineIdx + 1}) flows to a redirect call.`,
+                                suggestedFix: 'Validate redirect URL against an allowlist of permitted paths.',
+                                confidence: 'medium',
+                                layer: 2,
+                                requiresAIValidation: true,
+                            });
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+    }
+    // ========== Pass 4: Template literal with user input in URL ==========
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if ((0, context_helpers_1.isComment)(line))
+            continue;
+        // fetch(`${req.query.baseUrl}/api`) or fetch(`http://${req.body.host}/path`)
+        const templateSinkPattern = /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got|https?\.(?:get|request))\s*\(\s*`[^`]*\$\{[^}]*(?:req|request|ctx\.request)\.(?:body|query|params)[^}]*\}/;
+        if (templateSinkPattern.test(line)) {
+            // Avoid duplicate with direct taint
+            const alreadyFound = vulnerabilities.some(v => v.lineNumber === i + 1 && v.filePath === filePath);
+            if (alreadyFound)
+                continue;
+            if (hasSSRFMitigation(lines, i))
+                continue;
+            vulnerabilities.push({
+                id: `ssrf-${filePath}-${i + 1}-template`,
+                filePath,
+                lineNumber: i + 1,
+                lineContent: line.trim(),
+                severity: 'high',
+                category: 'ssrf',
+                title: 'SSRF: User input interpolated in HTTP request URL',
+                description: 'User-controlled request data is interpolated into an HTTP request URL via template literal. An attacker could manipulate the request destination.',
+                suggestedFix: 'Extract and validate the user input before constructing the URL. Use an allowlist of permitted domains.',
+                confidence: 'high',
+                layer: 2,
+            });
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=ssrf-detection.js.map

package/dist/layer2/ssrf-detection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf-detection.js","sourceRoot":"","sources":["../../src/layer2/ssrf-detection.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AA4DH,gDA6NC;AArRD,8DAIiC;AAMjC,iCAAiC;AACjC,MAAM,kBAAkB,GAAG,yEAAyE,CAAA;AAEpG,yDAAyD;AACzD,SAAS,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IACzD,IAAI,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IACnD,wDAAwD;IACxD,IAAI,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7G,OAAO,IAAI,CAAA;IACb,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,KAAe,EAAE,SAAiB,EAAE,aAAqB,EAAE;IACpF,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,UAAU,CAAC,CAAA;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,CAAC,CAAC,CAAA;IAC9D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAElD,uBAAuB;IACvB,IAAI,iEAAiE,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAChG,IAAI,yCAAyC,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAExE,wCAAwC;IACxC,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,4BAA4B,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAE1F,oBAAoB;IACpB,IAAI,+CAA+C,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAC9E,IAAI,+CAA+C,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,kCAAkC,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAA;IAElI,8BAA8B;IAC9B,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACpC,uEAAuE;QACvE,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAA;QACzF,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAA;QAC7F,IAAI,YAAY,GAAG,CAAC,IAAI,cAAc,IAAI,CAAC;YAAE,OAAO,KAAK,CAAA,CAAC,6CAA6C;IACzG,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB,EAChB,OAAqB;IAErB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAC5D,IAAI,IAAA,kCAAgB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IACtD,IAAI,gBAAgB,CAAC,OAAO,EAAE,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE/D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,wEAAwE;IACxE,MAAM,oBAAoB,GAAG;QAC3B,iDAAiD;QACjD,8GAA8G;QAC9G,0BAA0B;QAC1B,sHAAsH;QACtH,yCAAyC;QACzC,oFAAoF;QACpF,oBAAoB;QACpB,gEAAgE;QAChE,gDAAgD;QAChD,0IAA0I;QAC1I,0DAA0D;QAC1D,iEAAiE;KAClE,CAAA;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;YAC3C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,IAAI,iBAAiB,CAAC,KAAK,EAAE,CAAC,CAAC;oBAAE,SAAQ;gBAEzC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,QAAQ,QAAQ,IAAI,CAAC,GAAG,CAAC,SAAS;oBACtC,QAAQ;oBACR,UAAU,EAAE,CAAC,GAAG,CAAC;oBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,kCAAkC;oBACzC,WAAW,EACT,yNAAyN;oBAC3N,YAAY,EACV,+HAA+H;oBACjI,UAAU,EAAE,MAAM;oBAClB,KAAK,EAAE,CAAC;iBACT,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC;IAED,8CAA8C;IAC9C,MAAM,sBAAsB,GAAG;QAC7B,+BAA+B;QAC/B,yEAAyE;QACzE,+BAA+B;QAC/B,2EAA2E;KAC5E,CAAA;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,KAAK,MAAM,OAAO,IAAI,sBAAsB,EAAE,CAAC;YAC7C,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,IAAI,iBAAiB,CAAC,KAAK,EAAE,CAAC,CAAC;oBAAE,SAAQ;gBAEzC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,QAAQ,QAAQ,IAAI,CAAC,GAAG,CAAC,WAAW;oBACxC,QAAQ;oBACR,UAAU,EAAE,CAAC,GAAG,CAAC;oBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,uCAAuC;oBAC9C,WAAW,EACT,0IAA0I;oBAC5I,YAAY,EACV,yHAAyH;oBAC3H,UAAU,EAAE,MAAM;oBAClB,KAAK,EAAE,CAAC;iBACT,CAAC,CAAA;gBACF,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,kDAAkD;IAClD,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAA,CAAC,uBAAuB;IAErE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,yDAAyD;QACzD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAC3B,yGAAyG,CAC1G,CAAA;QACD,IAAI,UAAU,EAAE,CAAC;YACf,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;YACjC,SAAQ;QACV,CAAC;QAED,sDAAsD;QACtD,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAC9B,2FAA2F,CAC5F,CAAA;QACD,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;YAChF,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,IAAI,CAAC;oBAAE,WAAW,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;YAC9B,CAAC;YACD,SAAQ;QACV,CAAC;QAED,iEAAiE;QACjE,IAAI,WAAW,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACzB,MAAM,eAAe,GAAG,yGAAyG,CAAA;YACjI,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/B,KAAK,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,IAAI,WAAW,EAAE,CAAC;oBACnD,IAAI,CAAC,GAAG,aAAa,IAAI,EAAE,IAAI,CAAC,GAAG,aAAa,GAAG,CAAC,EAAE,CAAC;wBACrD,kDAAkD;wBAClD,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,MAAM,OAAO,KAAK,CAAC,CAAA;wBACjD,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BAC1B,IAAI,iBAAiB,CAAC,KAAK,EAAE,CAAC,CAAC;gCAAE,SAAQ;4BAEzC,eAAe,CAAC,IAAI,CAAC;gCACnB,EAAE,EAAE,QAAQ,QAAQ,IAAI,CAAC,GAAG,CAAC,WAAW;gCACxC,QAAQ;gCACR,UAAU,EAAE,CAAC,GAAG,CAAC;gCACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;gCACxB,QAAQ,EAAE,QAAQ;gCAClB,QAAQ,EAAE,MAAM;gCAChB,KAAK,EAAE,oDAAoD;gCAC3D,WAAW,EACT,oCAAoC,OAAO,WAAW,aAAa,GAAG,CAAC,qFAAqF;gCAC9J,YAAY,EACV,2FAA2F;gCAC7F,UAAU,EAAE,QAAQ;gCACpB,KAAK,EAAE,CAAC;gCACR,oBAAoB,EAAE,IAAI;6BAC3B,CAAC,CAAA;4BACF,MAAK;wBACP,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,+BAA+B;YAC/B,MAAM,mBAAmB,GAAG,iCAAiC,CAAA;YAC7D,IAAI,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnC,KAAK,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC,IAAI,WAAW,EAAE,CAAC;oBACnD,IAAI,CAAC,GAAG,aAAa,IAAI,EAAE,IAAI,CAAC,GAAG,aAAa,GAAG,CAAC,EAAE,CAAC;wBACrD,MAAM,UAAU,GAAG,IAAI,MAAM,CAAC,MAAM,OAAO,KAAK,CAAC,CAAA;wBACjD,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BAC1B,IAAI,iBAAiB,CAAC,KAAK,EAAE,CAAC,CAAC;gCAAE,SAAQ;4BAEzC,eAAe,CAAC,IAAI,CAAC;gCACnB,EAAE,EAAE,QAAQ,QAAQ,IAAI,CAAC,GAAG,CAAC,oBAAoB;gCACjD,QAAQ;gCACR,UAAU,EAAE,CAAC,GAAG,CAAC;gCACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;gCACxB,QAAQ,EAAE,QAAQ;gCAClB,QAAQ,EAAE,MAAM;gCAChB,KAAK,EAAE,6CAA6C;gCACpD,WAAW,EACT,oCAAoC,OAAO,WAAW,aAAa,GAAG,CAAC,6BAA6B;gCACtG,YAAY,EAAE,gEAAgE;gCAC9E,UAAU,EAAE,QAAQ;gCACpB,KAAK,EAAE,CAAC;gCACR,oBAAoB,EAAE,IAAI;6BAC3B,CAAC,CAAA;4BACF,MAAK;wBACP,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,6EAA6E;QAC7E,MAAM,mBAAmB,GAAG,qKAAqK,CAAA;QACjM,IAAI,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACnC,oCAAoC;YACpC,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CACvC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CACvD,CAAA;YACD,IAAI,YAAY;gBAAE,SAAQ;YAC1B,IAAI,iBAAiB,CAAC,KAAK,EAAE,CAAC,CAAC;gBAAE,SAAQ;YAEzC,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,QAAQ,QAAQ,IAAI,CAAC,GAAG,CAAC,WAAW;gBACxC,QAAQ;gBACR,UAAU,EAAE,CAAC,GAAG,CAAC;gBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;gBACxB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,mDAAmD;gBAC1D,WAAW,EACT,mJAAmJ;gBACrJ,YAAY,EACV,yGAAyG;gBAC3G,UAAU,EAAE,MAAM;gBAClB,KAAK,EAAE,CAAC;aACT,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/layer2/variables.d.ts

@@ -3,6 +3,9 @@
  * Identifies variable names associated with sensitive data
  */
 import type { Vulnerability, SensitiveVariablePattern } from '../types';
+import type { ParsedFile } from '../utils/parsed-file';
 export declare const SENSITIVE_VARIABLE_PATTERNS: SensitiveVariablePattern[];
-export declare function detectSensitiveVariables(content: string, filePath: string): Vulnerability[];
+export declare function detectSensitiveVariables(content: string, filePath: string, options?: {
+    parsed?: ParsedFile;
+}): Vulnerability[];
 //# sourceMappingURL=variables.d.ts.map

package/dist/layer2/variables.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"variables.d.ts","sourceRoot":"","sources":["../../src/layer2/variables.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAA;AAIvE,eAAO,MAAM,2BAA2B,EAAE,wBAAwB,EA0DjE,CAAA;AAqDD,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,aAAa,EAAE,CA+CjB"}
+{"version":3,"file":"variables.d.ts","sourceRoot":"","sources":["../../src/layer2/variables.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAA;AACvE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAItD,eAAO,MAAM,2BAA2B,EAAE,wBAAwB,EA0DjE,CAAA;AAqDD,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CA+CjB"}

package/dist/layer2/variables.js

@@ -110,12 +110,12 @@ function isTypeDefinition(line) {
         /:\s*(string|number|boolean|any)\s*[;,}]/.test(line) ||
         /\?\s*:\s*\w+/.test(line));
 }
-function detectSensitiveVariables(content, filePath) {
+function detectSensitiveVariables(content, filePath, options) {
     const vulnerabilities = [];
     // Skip scanner/fixture files to avoid self-detection
     if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
         return vulnerabilities;
-    const lines = content.split('\n');
+    const lines = options?.parsed?.lines ?? content.split('\n');
     lines.forEach((line, index) => {
         // Skip comments
         if (isComment(line))

package/dist/layer2/variables.js.map

@@ -1 +1 @@
-{"version":3,"file":"variables.js","sourceRoot":"","sources":["../../src/layer2/variables.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAqHH,4DAkDC;AApKD,8DAAiE;AAEjE,wCAAwC;AAC3B,QAAA,2BAA2B,GAA+B;IACrE,mBAAmB;IACnB;QACE,OAAO,EAAE,uCAAuC;QAChD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yCAAyC;KACvD;IACD;QACE,OAAO,EAAE,6EAA6E;QACtF,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gDAAgD;KAC9D;IACD,gBAAgB;IAChB;QACE,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6CAA6C;KAC3D;IACD;QACE,OAAO,EAAE,yCAAyC;QAClD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sCAAsC;KACpD;IACD,iBAAiB;IACjB;QACE,OAAO,EAAE,2DAA2D;QACpE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,OAAO,EAAE,qDAAqD;QAC9D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2CAA2C;KACzD;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,oCAAoC;KAClD;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,oEAAoE;QAC7E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,mDAAmD;KACjE;IACD,kBAAkB;IAClB;QACE,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uCAAuC;KACrD;IACD,kBAAkB;IAClB;QACE,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,oCAAoC;KAClD;CACF,CAAA;AAED,mEAAmE;AACnE,SAAS,qBAAqB,CAAC,IAAY;IACzC,MAAM,YAAY,GAAG;QACnB,kBAAkB,EAAqB,cAAc;QACrD,kBAAkB,EAAqB,kBAAkB;QACzD,uBAAuB,EAAgB,uBAAuB;QAC9D,qBAAqB,EAAkB,gBAAgB;QACvD,kBAAkB,EAAqB,kBAAkB;QACzD,0BAA0B,EAAa,wBAAwB;QAC/D,mBAAmB,EAAoB,iBAAiB;QACxD,qBAAqB,EAAkB,kBAAkB;QACzD,yBAAyB,EAAc,oBAAoB;QAC3D,mBAAmB,EAAoB,WAAW;QAClD,gBAAgB,EAAuB,aAAa;QACpD,oBAAoB,EAAmB,kBAAkB;QACzD,eAAe,EAAwB,cAAc;QACrD,mBAAmB,EAAoB,mBAAmB;QAC1D,uBAAuB,EAAgB,uBAAuB;QAC9D,sBAAsB,EAAiB,sBAAsB;QAC7D,gBAAgB,EAAuB,4CAA4C;QACnF,MAAM,EAAiC,oCAAoC;QAC3E,MAAM,EAAiC,qBAAqB;QAC5D,iCAAiC,EAAM,kCAAkC;KAC1E,CAAA;IAED,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;AACzD,CAAC;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC;QACzB,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC;QACzB,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAC3B,CAAA;AACH,CAAC;AAED,+CAA+C;AAC/C,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,CACL,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC;QACzC,yCAAyC,CAAC,IAAI,CAAC,IAAI,CAAC;QACpD,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAC1B,CAAA;AACH,CAAC;AAED,SAAgB,wBAAwB,CACtC,OAAe,EACf,QAAgB;IAEhB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,gBAAgB;QAChB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,wBAAwB;QACxB,IAAI,gBAAgB,CAAC,IAAI,CAAC;YAAE,OAAM;QAElC,2CAA2C;QAC3C,IAAI,qBAAqB,CAAC,IAAI,CAAC;YAAE,OAAM;QAEvC,KAAK,MAAM,OAAO,IAAI,mCAA2B,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAEvE,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,sDAAsD;gBACtD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAA;gBAEzD,IAAI,UAAU,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3C,oCAAoC;oBACpC,eAAe,CAAC,IAAI,CAAC;wBACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,KAAK,GAAG,CAAC,EAAE;wBAClC,QAAQ;wBACR,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,QAAQ,EAAE,oBAAoB;wBAC9B,KAAK,EAAE,yCAAyC;wBAChD,WAAW,EAAE,OAAO,CAAC,WAAW,GAAG,0EAA0E;wBAC7G,YAAY,EAAE,iFAAiF;wBAC/F,UAAU,EAAE,QAAQ;wBACpB,KAAK,EAAE,CAAC;qBACT,CAAC,CAAA;gBACJ,CAAC;gBACD,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,eAAe,CAAA;AACxB,CAAC"}
+{"version":3,"file":"variables.js","sourceRoot":"","sources":["../../src/layer2/variables.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAsHH,4DAmDC;AArKD,8DAAiE;AAEjE,wCAAwC;AAC3B,QAAA,2BAA2B,GAA+B;IACrE,mBAAmB;IACnB;QACE,OAAO,EAAE,uCAAuC;QAChD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yCAAyC;KACvD;IACD;QACE,OAAO,EAAE,6EAA6E;QACtF,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gDAAgD;KAC9D;IACD,gBAAgB;IAChB;QACE,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6CAA6C;KAC3D;IACD;QACE,OAAO,EAAE,yCAAyC;QAClD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sCAAsC;KACpD;IACD,iBAAiB;IACjB;QACE,OAAO,EAAE,2DAA2D;QACpE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,OAAO,EAAE,qDAAqD;QAC9D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2CAA2C;KACzD;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,oCAAoC;KAClD;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,oEAAoE;QAC7E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,mDAAmD;KACjE;IACD,kBAAkB;IAClB;QACE,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uCAAuC;KACrD;IACD,kBAAkB;IAClB;QACE,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,oCAAoC;KAClD;CACF,CAAA;AAED,mEAAmE;AACnE,SAAS,qBAAqB,CAAC,IAAY;IACzC,MAAM,YAAY,GAAG;QACnB,kBAAkB,EAAqB,cAAc;QACrD,kBAAkB,EAAqB,kBAAkB;QACzD,uBAAuB,EAAgB,uBAAuB;QAC9D,qBAAqB,EAAkB,gBAAgB;QACvD,kBAAkB,EAAqB,kBAAkB;QACzD,0BAA0B,EAAa,wBAAwB;QAC/D,mBAAmB,EAAoB,iBAAiB;QACxD,qBAAqB,EAAkB,kBAAkB;QACzD,yBAAyB,EAAc,oBAAoB;QAC3D,mBAAmB,EAAoB,WAAW;QAClD,gBAAgB,EAAuB,aAAa;QACpD,oBAAoB,EAAmB,kBAAkB;QACzD,eAAe,EAAwB,cAAc;QACrD,mBAAmB,EAAoB,mBAAmB;QAC1D,uBAAuB,EAAgB,uBAAuB;QAC9D,sBAAsB,EAAiB,sBAAsB;QAC7D,gBAAgB,EAAuB,4CAA4C;QACnF,MAAM,EAAiC,oCAAoC;QAC3E,MAAM,EAAiC,qBAAqB;QAC5D,iCAAiC,EAAM,kCAAkC;KAC1E,CAAA;IAED,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;AACzD,CAAC;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC;QACzB,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC;QACzB,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAC3B,CAAA;AACH,CAAC;AAED,+CAA+C;AAC/C,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,CACL,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC;QACzC,yCAAyC,CAAC,IAAI,CAAC,IAAI,CAAC;QACpD,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAC1B,CAAA;AACH,CAAC;AAED,SAAgB,wBAAwB,CACtC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,gBAAgB;QAChB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,wBAAwB;QACxB,IAAI,gBAAgB,CAAC,IAAI,CAAC;YAAE,OAAM;QAElC,2CAA2C;QAC3C,IAAI,qBAAqB,CAAC,IAAI,CAAC;YAAE,OAAM;QAEvC,KAAK,MAAM,OAAO,IAAI,mCAA2B,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAEvE,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,sDAAsD;gBACtD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAA;gBAEzD,IAAI,UAAU,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3C,oCAAoC;oBACpC,eAAe,CAAC,IAAI,CAAC;wBACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,KAAK,GAAG,CAAC,EAAE;wBAClC,QAAQ;wBACR,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,QAAQ,EAAE,oBAAoB;wBAC9B,KAAK,EAAE,yCAAyC;wBAChD,WAAW,EAAE,OAAO,CAAC,WAAW,GAAG,0EAA0E;wBAC7G,YAAY,EAAE,iFAAiF;wBAC/F,UAAU,EAAE,QAAQ;wBACpB,KAAK,EAAE,CAAC;qBACT,CAAC,CAAA;gBACJ,CAAC;gBACD,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/layer2/xxe-detection.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Layer 2: XXE (XML External Entity) Detector
+ * Detects XML parsing without entity expansion protection
+ *
+ * OWASP A02:2021 - Cryptographic Failures (was A04 in 2017)
+ * CWE-611: Improper Restriction of XML External Entity Reference
+ */
+import type { Vulnerability } from '../types';
+import type { ParsedFile } from '../utils/parsed-file';
+interface XXEOptions {
+    parsed?: ParsedFile;
+}
+/**
+ * Detect XXE patterns in code
+ */
+export declare function detectXXEPatterns(content: string, filePath: string, options?: XXEOptions): Vulnerability[];
+export {};
+//# sourceMappingURL=xxe-detection.d.ts.map

package/dist/layer2/xxe-detection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xxe-detection.d.ts","sourceRoot":"","sources":["../../src/layer2/xxe-detection.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,UAAU,CAAA;AACpE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAOtD,UAAU,UAAU;IAClB,MAAM,CAAC,EAAE,UAAU,CAAA;CACpB;AA8LD;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,UAAU,GACnB,aAAa,EAAE,CAsDjB"}

package/dist/layer2/xxe-detection.js

@@ -0,0 +1,242 @@
+"use strict";
+/**
+ * Layer 2: XXE (XML External Entity) Detector
+ * Detects XML parsing without entity expansion protection
+ *
+ * OWASP A02:2021 - Cryptographic Failures (was A04 in 2017)
+ * CWE-611: Improper Restriction of XML External Entity Reference
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectXXEPatterns = detectXXEPatterns;
+const context_helpers_1 = require("../utils/context-helpers");
+const XXE_PATTERNS = [
+    // ==================== Node.js ====================
+    {
+        pattern: /xml2js\.parseString|new\s+xml2js\.Parser/,
+        lang: 'node',
+        lib: 'xml2js',
+        safe: /explicitCharkey|xmlMode/,
+        severity: 'medium', // xml2js v0.5+ doesn't expand entities by default
+        extensions: ['.js', '.ts', '.mjs', '.cjs', '.jsx', '.tsx'],
+    },
+    {
+        pattern: /libxmljs\.parseXml/,
+        lang: 'node',
+        lib: 'libxmljs',
+        safe: /noent\s*:\s*false/,
+        severity: 'high',
+        extensions: ['.js', '.ts', '.mjs', '.cjs'],
+    },
+    {
+        pattern: /new\s+DOMParser\(\)\.parseFromString/,
+        lang: 'node',
+        lib: 'DOMParser',
+        severity: 'low', // Browsers block XXE by default
+        extensions: ['.js', '.ts', '.jsx', '.tsx'],
+    },
+    {
+        pattern: /(?:xmldom|@xmldom\/xmldom)/,
+        lang: 'node',
+        lib: 'xmldom',
+        safe: /entityExpansionEnabled\s*:\s*false/,
+        severity: 'medium',
+        extensions: ['.js', '.ts', '.mjs', '.cjs'],
+    },
+    {
+        pattern: /(?:fast-xml-parser|XMLParser)/,
+        lang: 'node',
+        lib: 'fast-xml-parser',
+        safe: /processEntities\s*:\s*false/,
+        severity: 'medium',
+        extensions: ['.js', '.ts', '.mjs', '.cjs'],
+    },
+    // ==================== Python ====================
+    {
+        pattern: /xml\.etree\.ElementTree\.parse|ET\.parse|etree\.parse/,
+        lang: 'python',
+        lib: 'xml.etree.ElementTree',
+        safe: /defusedxml/,
+        severity: 'high',
+        extensions: ['.py'],
+    },
+    {
+        pattern: /lxml\.etree\.parse|etree\.fromstring/,
+        lang: 'python',
+        lib: 'lxml.etree',
+        safe: /resolve_entities\s*=\s*False|defusedxml/,
+        severity: 'high',
+        extensions: ['.py'],
+    },
+    {
+        pattern: /xml\.sax\.parse|xml\.dom\.minidom\.parse/,
+        lang: 'python',
+        lib: 'xml.sax/minidom',
+        safe: /defusedxml/,
+        severity: 'high',
+        extensions: ['.py'],
+    },
+    {
+        pattern: /xml\.dom\.pulldom/,
+        lang: 'python',
+        lib: 'xml.dom.pulldom',
+        safe: /defusedxml/,
+        severity: 'high',
+        extensions: ['.py'],
+    },
+    // ==================== Java ====================
+    {
+        pattern: /DocumentBuilderFactory\.newInstance/,
+        lang: 'java',
+        lib: 'DocumentBuilderFactory',
+        safe: /disallow-doctype-decl|FEATURE_SECURE_PROCESSING/,
+        severity: 'high',
+        extensions: ['.java'],
+    },
+    {
+        pattern: /SAXParserFactory\.newInstance/,
+        lang: 'java',
+        lib: 'SAXParserFactory',
+        safe: /disallow-doctype-decl|external-general-entities/,
+        severity: 'high',
+        extensions: ['.java'],
+    },
+    {
+        pattern: /XMLInputFactory\.newInstance/,
+        lang: 'java',
+        lib: 'XMLInputFactory',
+        safe: /IS_SUPPORTING_EXTERNAL_ENTITIES|SUPPORT_DTD/,
+        severity: 'high',
+        extensions: ['.java'],
+    },
+    {
+        pattern: /TransformerFactory\.newInstance/,
+        lang: 'java',
+        lib: 'TransformerFactory',
+        safe: /ACCESS_EXTERNAL_DTD|ACCESS_EXTERNAL_STYLESHEET/,
+        severity: 'high',
+        extensions: ['.java'],
+    },
+    // ==================== PHP ====================
+    {
+        pattern: /simplexml_load_string|simplexml_load_file/,
+        lang: 'php',
+        lib: 'simplexml',
+        safe: /libxml_disable_entity_loader\s*\(\s*true\s*\)|LIBXML_NOENT/,
+        severity: 'high',
+        extensions: ['.php'],
+    },
+    {
+        pattern: /DOMDocument.*(?:loadXML|load)\b/,
+        lang: 'php',
+        lib: 'DOMDocument',
+        safe: /libxml_disable_entity_loader\s*\(\s*true\s*\)/,
+        severity: 'high',
+        extensions: ['.php'],
+    },
+    {
+        pattern: /XMLReader.*open/,
+        lang: 'php',
+        lib: 'XMLReader',
+        safe: /setParserProperty.*LOADDTD.*false/,
+        severity: 'high',
+        extensions: ['.php'],
+    },
+];
+/**
+ * Check if the file extension matches the expected language
+ */
+function matchesLanguageExtension(filePath, extensions) {
+    if (!extensions)
+        return true;
+    return extensions.some(ext => filePath.endsWith(ext));
+}
+/**
+ * Check surrounding context for safe configuration
+ */
+function hasSafeConfig(content, lines, lineIndex, safePattern, lang) {
+    if (!safePattern)
+        return false;
+    // For Python: check entire file for defusedxml import
+    if (lang === 'python' && /defusedxml/.test(safePattern.source)) {
+        if (/import\s+defusedxml|from\s+defusedxml/.test(content)) {
+            return true;
+        }
+    }
+    // Check surrounding context (±20 lines for Java setFeature, ±10 for others)
+    const windowSize = lang === 'java' ? 20 : 10;
+    const start = Math.max(0, lineIndex - windowSize);
+    const end = Math.min(lines.length, lineIndex + windowSize + 1);
+    const context = lines.slice(start, end).join('\n');
+    return safePattern.test(context);
+}
+/**
+ * Detect XXE patterns in code
+ */
+function detectXXEPatterns(content, filePath, options) {
+    const vulnerabilities = [];
+    if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    const isTestFile = (0, context_helpers_1.isTestOrMockFile)(filePath);
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        if ((0, context_helpers_1.isComment)(line))
+            continue;
+        for (const xxePattern of XXE_PATTERNS) {
+            // Check language extension match
+            if (!matchesLanguageExtension(filePath, xxePattern.extensions))
+                continue;
+            if (!xxePattern.pattern.test(line))
+                continue;
+            // Check for safe configuration
+            if (hasSafeConfig(content, lines, i, xxePattern.safe, xxePattern.lang))
+                continue;
+            let severity = xxePattern.severity || 'high';
+            // Downgrade for test files
+            if (isTestFile) {
+                severity = 'info';
+            }
+            // DOMParser in .tsx client files is inherently safe
+            if (xxePattern.lib === 'DOMParser' && (filePath.endsWith('.tsx') || filePath.endsWith('.jsx'))) {
+                severity = 'info';
+            }
+            vulnerabilities.push({
+                id: `xxe-${filePath}-${i + 1}-${xxePattern.lib}`,
+                filePath,
+                lineNumber: i + 1,
+                lineContent: line.trim(),
+                severity,
+                category: 'xxe',
+                title: `XXE risk: ${xxePattern.lib} XML parser without entity protection`,
+                description: `${xxePattern.lib} XML parser is used without disabling external entity processing. An attacker could supply malicious XML to read server files, perform SSRF, or cause denial-of-service.`,
+                suggestedFix: getSuggestedFix(xxePattern.lang, xxePattern.lib),
+                confidence: severity === 'high' ? 'high' : 'medium',
+                layer: 2,
+                requiresAIValidation: severity !== 'high',
+            });
+            break; // One finding per line
+        }
+    }
+    return vulnerabilities;
+}
+function getSuggestedFix(lang, lib) {
+    switch (lang) {
+        case 'python':
+            return 'Use defusedxml instead of the standard xml library: pip install defusedxml && from defusedxml.ElementTree import parse';
+        case 'java':
+            return 'Disable external entities: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)';
+        case 'php':
+            return 'Disable entity loading: libxml_disable_entity_loader(true) before parsing XML';
+        case 'node':
+            if (lib === 'fast-xml-parser') {
+                return 'Disable entity processing: new XMLParser({ processEntities: false })';
+            }
+            if (lib === 'xml2js') {
+                return 'Consider upgrading to xml2js v0.5+ which has safer defaults, or use fast-xml-parser with processEntities: false';
+            }
+            return 'Disable external entity processing in the XML parser configuration';
+        default:
+            return 'Disable external entity processing in the XML parser configuration';
+    }
+}
+//# sourceMappingURL=xxe-detection.js.map

package/dist/layer2/xxe-detection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"xxe-detection.js","sourceRoot":"","sources":["../../src/layer2/xxe-detection.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AA6MH,8CA0DC;AAnQD,8DAIiC;AAqBjC,MAAM,YAAY,GAAiB;IACjC,oDAAoD;IACpD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,QAAQ;QACb,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,QAAQ,EAAE,kDAAkD;QACtE,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3D;IACD;QACE,OAAO,EAAE,oBAAoB;QAC7B,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,UAAU;QACf,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IACD;QACE,OAAO,EAAE,sCAAsC;QAC/C,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,WAAW;QAChB,QAAQ,EAAE,KAAK,EAAE,gCAAgC;QACjD,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IACD;QACE,OAAO,EAAE,4BAA4B;QACrC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,QAAQ;QACb,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IACD;QACE,OAAO,EAAE,+BAA+B;QACxC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IAED,mDAAmD;IACnD;QACE,OAAO,EAAE,uDAAuD;QAChE,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,uBAAuB;QAC5B,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IACD;QACE,OAAO,EAAE,sCAAsC;QAC/C,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,YAAY;QACjB,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IACD;QACE,OAAO,EAAE,mBAAmB;QAC5B,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IAED,iDAAiD;IACjD;QACE,OAAO,EAAE,qCAAqC;QAC9C,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,wBAAwB;QAC7B,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IACD;QACE,OAAO,EAAE,+BAA+B;QACxC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,kBAAkB;QACvB,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IACD;QACE,OAAO,EAAE,8BAA8B;QACvC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,6CAA6C;QACnD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,oBAAoB;QACzB,IAAI,EAAE,gDAAgD;QACtD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IAED,gDAAgD;IAChD;QACE,OAAO,EAAE,2CAA2C;QACpD,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,WAAW;QAChB,IAAI,EAAE,4DAA4D;QAClE,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,MAAM,CAAC;KACrB;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,aAAa;QAClB,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,MAAM,CAAC;KACrB;IACD;QACE,OAAO,EAAE,iBAAiB;QAC1B,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,WAAW;QAChB,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,MAAM,CAAC;KACrB;CACF,CAAA;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,QAAgB,EAAE,UAAqB;IACvE,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAA;IAC5B,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAA;AACvD,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CACpB,OAAe,EACf,KAAe,EACf,SAAiB,EACjB,WAA+B,EAC/B,IAAY;IAEZ,IAAI,CAAC,WAAW;QAAE,OAAO,KAAK,CAAA;IAE9B,sDAAsD;IACtD,IAAI,IAAI,KAAK,QAAQ,IAAI,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/D,IAAI,uCAAuC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1D,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,MAAM,UAAU,GAAG,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,UAAU,CAAC,CAAA;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,CAAC,CAAC,CAAA;IAC9D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAElD,OAAO,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;AAClC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,OAAe,EACf,QAAgB,EAChB,OAAoB;IAEpB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC7C,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,KAAK,MAAM,UAAU,IAAI,YAAY,EAAE,CAAC;YACtC,iCAAiC;YACjC,IAAI,CAAC,wBAAwB,CAAC,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;gBAAE,SAAQ;YAExE,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAE5C,+BAA+B;YAC/B,IAAI,aAAa,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAEhF,IAAI,QAAQ,GAA0B,UAAU,CAAC,QAAQ,IAAI,MAAM,CAAA;YAEnE,2BAA2B;YAC3B,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,GAAG,MAAM,CAAA;YACnB,CAAC;YAED,oDAAoD;YACpD,IAAI,UAAU,CAAC,GAAG,KAAK,WAAW,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBAC/F,QAAQ,GAAG,MAAM,CAAA;YACnB,CAAC;YAED,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,GAAG,EAAE;gBAChD,QAAQ;gBACR,UAAU,EAAE,CAAC,GAAG,CAAC;gBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;gBACxB,QAAQ;gBACR,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,aAAa,UAAU,CAAC,GAAG,uCAAuC;gBACzE,WAAW,EACT,GAAG,UAAU,CAAC,GAAG,0KAA0K;gBAC7L,YAAY,EAAE,eAAe,CAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC;gBAC9D,UAAU,EAAE,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;gBACnD,KAAK,EAAE,CAAC;gBACR,oBAAoB,EAAE,QAAQ,KAAK,MAAM;aAC1C,CAAC,CAAA;YAEF,MAAK,CAAC,uBAAuB;QAC/B,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,GAAW;IAChD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,QAAQ;YACX,OAAO,wHAAwH,CAAA;QACjI,KAAK,MAAM;YACT,OAAO,6GAA6G,CAAA;QACtH,KAAK,KAAK;YACR,OAAO,+EAA+E,CAAA;QACxF,KAAK,MAAM;YACT,IAAI,GAAG,KAAK,iBAAiB,EAAE,CAAC;gBAC9B,OAAO,sEAAsE,CAAA;YAC/E,CAAC;YACD,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACrB,OAAO,iHAAiH,CAAA;YAC1H,CAAC;YACD,OAAO,oEAAoE,CAAA;QAC7E;YACE,OAAO,oEAAoE,CAAA;IAC/E,CAAC;AACH,CAAC"}

package/dist/layer3/anthropic/auto-dismiss.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auto-dismiss.d.ts","sourceRoot":"","sources":["../../../src/layer3/anthropic/auto-dismiss.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAgKhD;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,aAAa,EAAE,EACzB,IAAI,GAAE,YAAY,GAAG,SAAwB,GAC5C;IACD,UAAU,EAAE,aAAa,EAAE,CAAA;IAC3B,SAAS,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,aAAa,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAC3E,CA8BA"}
+{"version":3,"file":"auto-dismiss.d.ts","sourceRoot":"","sources":["../../../src/layer3/anthropic/auto-dismiss.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AA2KhD;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,aAAa,EAAE,EACzB,IAAI,GAAE,YAAY,GAAG,SAAwB,GAC5C;IACD,UAAU,EAAE,aAAa,EAAE,CAAA;IAC3B,SAAS,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,aAAa,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAC3E,CA8BA"}

package/dist/layer3/anthropic/auto-dismiss.js

@@ -140,6 +140,16 @@ const AUTO_DISMISS_RULES = [
         },
         reason: 'Timeout value (code style, not security)',
     },
+    // Low-value AI pattern findings - code quality, not security
+    {
+        name: 'low_severity_ai_pattern',
+        check: (finding) => {
+            if (finding.category !== 'ai_pattern')
+                return false;
+            return finding.severity === 'info' || finding.severity === 'low';
+        },
+        reason: 'Low-severity AI pattern (code quality, not security vulnerability)',
+    },
 ];
 // ============================================================================
 // Apply Auto-Dismiss Rules
@@ -150,6 +160,7 @@ const AUTO_DISMISS_RULES = [
  */
 const VALIDATION_ONLY_RULES = new Set([
     'info_severity_core_only', // Info findings should surface, just not go through expensive AI validation
+    'low_severity_ai_pattern', // Low/info AI patterns are code quality, not security — skip AI validation
 ]);
 /**
  * Apply smart auto-dismiss rules to filter obvious false positives