@oculum/scanner 1.0.12 → 1.0.13

package/src/{layer2 → detect/structural}/dangerous-functions/index.ts

@@ -5,8 +5,8 @@
  * This module orchestrates detection across multiple specialized modules.
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../../types'
-import type { ParsedFile } from '../../utils/parsed-file'
+import type { Vulnerability, VulnerabilitySeverity } from '../../../shared/types'
+import type { ParsedFile } from '../../../shared/parsed-file'
 import {
   isComment,
   isTestOrMockFile,
@@ -15,7 +15,7 @@ import {
   isDesktopAppContext,
   isMcpServerContext,
   isFileLoaderContext,
-} from '../../utils/context-helpers'
+} from '../../../parse/file-classifier'
 
 // Pattern definitions
 import {
@@ -62,6 +62,8 @@ import { hasOnlyStaticInputs, hasPathTraversalProtection } from './utils/helpers
 // Re-export types and patterns for external use
 export { DANGEROUS_FUNCTIONS, type DangerousFunctionPattern } from './patterns'
 
+const BASE_CONFIDENCE = 0.40
+
 /**
  * Main detection function for dangerous function calls
  */
@@ -331,8 +333,9 @@ function handleInnerHTMLPattern(
       suggestedFix:
         'Consider input validation, content filtering, or structured prompts to limit prompt injection risk.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return
   }
 
@@ -356,8 +359,9 @@ function handleInnerHTMLPattern(
       (isTestFile ? ' (in test file)' : ''),
     suggestedFix: funcPattern.suggestedFix,
     confidence: isTestFile ? 'low' : 'high',
+    baseConfidence: BASE_CONFIDENCE,
     layer: 2,
-    requiresAIValidation: true, // Dynamic HTML needs validation
+      source: 'structural' as const,    requiresAIValidation: true, // Dynamic HTML needs validation
   })
 }
 
@@ -410,8 +414,9 @@ function handleEvalPattern(
     description: funcPattern.description,
     suggestedFix: funcPattern.suggestedFix,
     confidence: 'high',
+    baseConfidence: BASE_CONFIDENCE,
     layer: 2,
-    requiresAIValidation: true, // Code execution patterns need validation
+      source: 'structural' as const,    requiresAIValidation: true, // Code execution patterns need validation
   })
   return true
 }
@@ -500,8 +505,9 @@ function handleChildProcessPattern(
         description: 'Shell command execution in build/tooling script with hardcoded command. Build scripts are developer-controlled.',
         suggestedFix: 'Ensure this script is not exposed to untrusted input.',
         confidence: 'low',
+        baseConfidence: BASE_CONFIDENCE,
         layer: 2,
-      })
+      source: 'structural' as const,      })
       return true
     }
   }
@@ -527,8 +533,9 @@ function handleChildProcessPattern(
       suggestedFix:
         'Ensure command arguments from IPC are validated against an allowlist.',
       confidence: 'medium',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return true
   }
 
@@ -558,8 +565,9 @@ function handleChildProcessPattern(
     description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
     suggestedFix: funcPattern.suggestedFix,
     confidence,
+    baseConfidence: BASE_CONFIDENCE,
     layer: 2,
-  })
+      source: 'structural' as const,  })
   return true
 }
 
@@ -684,8 +692,9 @@ function handleSQLPattern(
     description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
     suggestedFix: funcPattern.suggestedFix,
     confidence,
+    baseConfidence: BASE_CONFIDENCE,
     layer: 2,
-  })
+      source: 'structural' as const,  })
 }
 
 /**
@@ -724,8 +733,9 @@ function handleFilePathPattern(
       suggestedFix:
         'Ensure file paths are validated and constrained to expected directories.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return
   }
 
@@ -783,8 +793,9 @@ function handleFilePathPattern(
       suggestedFix:
         'Ensure path normalization and base directory checks are applied consistently.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return
   }
 
@@ -832,8 +843,9 @@ function handleFilePathPattern(
       suggestedFix:
         'Verify paths come from trusted action inputs or environment variables.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return
   }
 
@@ -852,8 +864,9 @@ function handleFilePathPattern(
       suggestedFix:
         'Add path validation if accepting paths from untrusted sources.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return
   }
 
@@ -915,8 +928,9 @@ function handleFilePathPattern(
     description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
     suggestedFix: funcPattern.suggestedFix,
     confidence,
+    baseConfidence: BASE_CONFIDENCE,
     layer: 2,
-  })
+      source: 'structural' as const,  })
 }
 
 /**
@@ -1071,8 +1085,9 @@ function handleMathRandomPattern(
     description,
     suggestedFix,
     confidence,
+    baseConfidence: BASE_CONFIDENCE,
     layer: 2,
-  })
+      source: 'structural' as const,  })
 }
 
 /**
@@ -1199,8 +1214,9 @@ function handlePythonSubprocessPattern(
         'subprocess with list arguments (safer than shell=True). Some arguments contain variables or f-strings — verify they are validated.',
       suggestedFix: 'Ensure dynamic arguments are validated and sanitized.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return
   }
 
@@ -1242,8 +1258,9 @@ function handlePythonSubprocessPattern(
           `subprocess called with variable '${varName}' which resolves to a list. List arguments prevent shell injection, but some elements are dynamic.`,
         suggestedFix: 'Ensure dynamic list elements are validated and sanitized.',
         confidence: 'low',
+        baseConfidence: BASE_CONFIDENCE,
         layer: 2,
-      })
+      source: 'structural' as const,      })
       return
     }
 
@@ -1260,8 +1277,9 @@ function handlePythonSubprocessPattern(
         `subprocess called with variable '${varName}' — could not resolve its value nearby. If it is a list, shell injection risk is low.`,
       suggestedFix: 'Verify the variable is a list (not a string) and arguments are validated.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return
   }
 
@@ -1386,8 +1404,9 @@ function handleRegexPattern(
       description: 'Dynamic regex from object property. If the regex source is app-defined (not user input), ReDoS risk is minimal.',
       suggestedFix: 'Ensure regex patterns come from trusted, validated sources.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return
   }
 
@@ -1407,8 +1426,9 @@ function handleRegexPattern(
       description: 'Dynamic regex in array iteration. If iterating over app-defined data, ReDoS risk is minimal.',
       suggestedFix: 'Ensure regex patterns come from trusted sources, not user input.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return
   }
 
@@ -1426,8 +1446,9 @@ function handleRegexPattern(
         'Dynamic regex with try-catch error handling. ReDoS attacks are contained but may still cause performance issues.',
       suggestedFix: 'Consider using safe-regex library or adding timeout for regex operations.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return
   }
 
@@ -1483,8 +1504,9 @@ function handleSpreadPattern(
       description: 'Request body is spread but has schema validation. Schema validation strips unknown properties, reducing mass assignment risk.',
       suggestedFix: 'Ensure schema validation is strict (no .passthrough() in Zod, no additionalProperties in JSON Schema).',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
-    })
+      source: 'structural' as const,    })
     return
   }
 
@@ -1528,6 +1550,7 @@ function handleStandardPattern(
     description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
     suggestedFix: funcPattern.suggestedFix,
     confidence,
+    baseConfidence: BASE_CONFIDENCE,
     layer: 2,
-  })
+      source: 'structural' as const,  })
 }

package/src/{layer2 → detect/structural}/dangerous-functions/json-parse.ts

@@ -5,11 +5,13 @@
  * based on the data source and error handling context.
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../../types'
-import { isComment, isTestOrMockFile } from '../../utils/context-helpers'
+import type { Vulnerability, VulnerabilitySeverity } from '../../../shared/types'
+import { isComment, isTestOrMockFile } from '../../../parse/file-classifier'
 import { isInsideTryCatch, hasTryCatchNearby } from './utils/control-flow'
 import { hasSchemaValidationNearby } from './utils/schema-validation'
 
+const BASE_CONFIDENCE = 0.35
+
 /**
  * JSON.parse source classification
  * Determines if the input is user-controlled or internal data
@@ -339,7 +341,9 @@ export function detectJSONParseSafe(
       description,
       suggestedFix,
       confidence,
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
   })
 
@@ -362,7 +366,9 @@ export function detectJSONParseSafe(
       suggestedFix:
         'Add try-catch for error handling. If parsing user input, add schema validation.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
   } else if (instances.length > 0 && instances.length < 3) {
     // Report individually for small counts
@@ -378,7 +384,9 @@ export function detectJSONParseSafe(
         description: `JSON.parse on ${instance.source.replace('_', ' ')} data without error handling. Low risk but consider defensive coding.${isTestFile ? ' (in test file)' : ''}`,
         suggestedFix: 'Consider adding try-catch for robustness.',
         confidence: 'low',
+        baseConfidence: BASE_CONFIDENCE,
         layer: 2,
+        source: 'structural' as const,
       })
     }
   }

package/src/{layer2 → detect/structural}/dangerous-functions/math-random.ts

@@ -9,8 +9,8 @@ import {
   isTestOrMockFile,
   isSeedOrDataGenFile,
   isEducationalVulnerabilityFile,
-} from '../../utils/context-helpers'
-import type { ParsedFile } from '../../utils/parsed-file'
+} from '../../../parse/file-classifier'
+import type { ParsedFile } from '../../../shared/parsed-file'
 import { extractFunctionContext } from './utils/control-flow'
 
 /**

package/src/{layer2 → detect/structural}/dangerous-functions/patterns.ts

@@ -5,7 +5,7 @@
  * These patterns are used by the main detection engine.
  */
 
-import type { VulnerabilitySeverity } from '../../types'
+import type { VulnerabilitySeverity } from '../../../shared/types'
 
 export interface DangerousFunctionPattern {
   name: string

package/src/{layer2 → detect/structural}/dangerous-functions/request-validation.ts

@@ -5,11 +5,13 @@
  * proper schema validation.
  */
 
-import type { Vulnerability } from '../../types'
-import { isComment } from '../../utils/context-helpers'
+import type { Vulnerability } from '../../../shared/types'
+import { isComment } from '../../../parse/file-classifier'
 import { hasManualValidation } from './utils/schema-validation'
 import { hasThrowingAuthHelper } from './utils/helpers'
 
+const BASE_CONFIDENCE = 0.35
+
 /**
  * Detect request.json() / req.json() and suggest schema validation
  * This is NOT a dangerous function - it's a prompt for best practices
@@ -102,7 +104,9 @@ export function detectRequestJsonValidation(
       suggestedFix:
         'While manual validation works, schema libraries provide better TypeScript integration and error messages.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
     return
   }
@@ -122,7 +126,9 @@ export function detectRequestJsonValidation(
       suggestedFix:
         'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
   } else {
     // Single instance
@@ -139,7 +145,9 @@ export function detectRequestJsonValidation(
       suggestedFix:
         'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
   }
 }

package/src/{layer2 → detect/structural}/dangerous-functions/utils/control-flow.ts

@@ -6,8 +6,8 @@
  * wrappers create a temporary ParsedFile to delegate to the shared implementation.
  */
 
-import { ParsedFile } from '../../../utils/parsed-file'
-import * as codeAnalysis from '../../../utils/code-analysis'
+import { ParsedFile } from '../../../../shared/parsed-file'
+import * as codeAnalysis from '../../../../shared/code-analysis'
 
 /**
  * Check if a line is inside a try-catch block

package/src/{layer2 → detect/structural}/data-exposure.ts

@@ -4,9 +4,11 @@
  * Separates "logging concerns" from "response exposure" which have different risk profiles
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
-import type { ParsedFile } from '../utils/parsed-file'
-import { isComment, isTestOrMockFile, isScannerOrFixtureFile } from '../utils/context-helpers'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import { isComment, isTestOrMockFile, isScannerOrFixtureFile } from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.40
 
 interface DataExposurePattern {
   name: string
@@ -217,7 +219,9 @@ export function detectDataExposure(
           description,
           suggestedFix: pattern.suggestedFix,
           confidence: isTestFile ? 'low' : 'medium',
+          baseConfidence: BASE_CONFIDENCE,
           layer: 2,
+        source: 'structural' as const,
         })
         break // Only one finding per line
       }
@@ -249,7 +253,9 @@ export function detectDataExposure(
       description: `${patternSummary}. Review for sensitive data exposure.\n\nFound ${logFindings.length} occurrences at lines: ${lineNumbers.join(', ')}${moreText}`,
       suggestedFix: 'Ensure logs have appropriate access controls and do not contain sensitive user data.',
       confidence: 'low',
+      baseConfidence: BASE_CONFIDENCE,
       layer: 2,
+        source: 'structural' as const,
     })
   } else if (logFindings.length > 0) {
     // Report individually for small counts
@@ -267,7 +273,9 @@ export function detectDataExposure(
           description: pattern.description,
           suggestedFix: pattern.suggestedFix,
           confidence: 'low',
+          baseConfidence: BASE_CONFIDENCE,
           layer: 2,
+        source: 'structural' as const,
         })
       }
     }

package/src/{layer2 → detect/structural}/framework-checks.ts

@@ -3,8 +3,8 @@
  * Detects security issues specific to popular frameworks (Next.js, Express, React, etc.)
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
-import type { ParsedFile } from '../utils/parsed-file'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
 import {
   isComment,
   isServerOnlyFile,
@@ -12,7 +12,9 @@ import {
   getServiceRoleKeyContext,
   isTestOrMockFile,
   isScannerOrFixtureFile,
-} from '../utils/context-helpers'
+} from '../../parse/file-classifier'
+
+const BASE_CONFIDENCE = 0.20
 
 interface FrameworkPattern {
   name: string
@@ -75,14 +77,7 @@ const FRAMEWORK_PATTERNS: FrameworkPattern[] = [
   },
   
   // ==================== Express ====================
-  {
-    name: 'Express without helmet',
-    pattern: /express\s*\(\s*\)(?![\s\S]*helmet)/gi,
-    severity: 'medium',
-    description: 'Express app may lack security headers (helmet middleware)',
-    suggestedFix: 'Add helmet middleware: app.use(helmet())',
-    framework: 'express',
-  },
+  // NOTE: "Express without helmet" moved to security-headers.ts (OWASP Workstream 1)
   {
     name: 'Express CORS allow all',
     pattern: /cors\s*\(\s*\{[^}]*origin\s*:\s*['"]\*['"]/gi,
@@ -396,7 +391,9 @@ export function detectFrameworkIssues(
             description: adjustedDescription,
             suggestedFix: pattern.suggestedFix,
             confidence: adjustedConfidence,
+            baseConfidence: BASE_CONFIDENCE,
             layer: 2,
+        source: 'structural' as const,
             requiresAIValidation,
           })
           break
@@ -429,7 +426,9 @@ export function detectFrameworkIssues(
           description: isTestFile ? `${pattern.description} (in test file)` : pattern.description,
           suggestedFix: pattern.suggestedFix,
           confidence,
+          baseConfidence: BASE_CONFIDENCE,
           layer: 2,
+        source: 'structural' as const,
         })
         break // Only report once per line
       }