@oculum/scanner 1.0.12 → 1.0.13

package/src/validate/__tests__/request-builder.test.ts

@@ -0,0 +1,347 @@
+/**
+ * Tests for the modified request builder with context extraction support.
+ *
+ * Verifies:
+ * - Scoped mode extracts relevant regions for large files
+ * - Scoped mode sends full content for small files
+ * - Full mode always sends all lines
+ * - Default mode uses scoped
+ * - Multi-file builder works correctly
+ */
+
+import {
+  buildHighContextValidationRequest,
+  buildMultiFileValidationRequest,
+  buildFileTaintSummary,
+  buildFindingTaintAnnotation,
+} from '../request-builder'
+import type { ScanFile, Vulnerability } from '../../shared/types'
+import type { ProjectContext } from '../../model/project-context'
+import type { FileTaintAnalysis } from '../../model/taint-types'
+
+// ============================================================================
+// Test Fixtures
+// ============================================================================
+
+function createMockFile(lineCount: number, path = 'src/test.ts'): ScanFile {
+  const content = Array.from({ length: lineCount }, (_, i) => `const line${i + 1} = 'value${i + 1}'`).join('\n')
+  return {
+    path,
+    content,
+    language: 'typescript',
+    size: content.length,
+  }
+}
+
+function createMockFinding(lineNumber: number, category = 'hardcoded_secret' as const): Vulnerability {
+  return {
+    id: `test-${lineNumber}`,
+    filePath: 'src/test.ts',
+    lineNumber,
+    lineContent: `const line${lineNumber} = 'value${lineNumber}'`,
+    severity: 'high',
+    category,
+    title: 'Test Finding',
+    description: 'Test description',
+    confidence: 'high',
+    layer: 1,
+  }
+}
+
+function createMockProjectContext(): ProjectContext {
+  return {
+    summary: 'Test project context',
+    auth: {
+      hasGlobalMiddleware: false,
+      authProvider: null,
+      protectedPaths: [],
+      publicPaths: [],
+      throwingHelpers: [],
+    },
+    dataAccess: {
+      orm: null,
+      hasRLS: false,
+    },
+    frameworks: {
+      primary: null,
+    },
+    secrets: {
+      hasEnvConfig: false,
+      secretPatterns: [],
+    },
+  } as any
+}
+
+// ============================================================================
+// buildHighContextValidationRequest
+// ============================================================================
+
+describe('buildHighContextValidationRequest', () => {
+  test('scoped mode with large file shows omission markers', () => {
+    const file = createMockFile(300)
+    const findings = [createMockFinding(150)]
+    const context = createMockProjectContext()
+
+    const result = buildHighContextValidationRequest(file, findings, context, {
+      contextMode: 'scoped',
+    })
+
+    expect(result).toContain('lines omitted')
+    expect(result).toContain('Showing')
+    expect(result).toContain('relevant regions around findings')
+    expect(result).toContain(`const line150 = 'value150'`)
+  })
+
+  test('scoped mode with small file sends full content', () => {
+    const file = createMockFile(50)
+    const findings = [createMockFinding(25)]
+    const context = createMockProjectContext()
+
+    const result = buildHighContextValidationRequest(file, findings, context, {
+      contextMode: 'scoped',
+    })
+
+    // Small file should not have omission markers
+    expect(result).not.toContain('lines omitted')
+    // Should contain first and last lines
+    expect(result).toContain(`const line1 = 'value1'`)
+    expect(result).toContain(`const line50 = 'value50'`)
+  })
+
+  test('full mode sends all lines with no omission markers', () => {
+    const file = createMockFile(300)
+    const findings = [createMockFinding(150)]
+    const context = createMockProjectContext()
+
+    const result = buildHighContextValidationRequest(file, findings, context, {
+      contextMode: 'full',
+    })
+
+    expect(result).not.toContain('lines omitted')
+    expect(result).not.toContain('Showing')
+    expect(result).toContain(`const line1 = 'value1'`)
+    expect(result).toContain(`const line300 = 'value300'`)
+  })
+
+  test('default mode uses scoped (large file gets omission markers)', () => {
+    const file = createMockFile(300)
+    const findings = [createMockFinding(150)]
+    const context = createMockProjectContext()
+
+    // No options passed = default
+    const result = buildHighContextValidationRequest(file, findings, context)
+
+    expect(result).toContain('lines omitted')
+  })
+})
+
+// ============================================================================
+// buildMultiFileValidationRequest
+// ============================================================================
+
+describe('buildMultiFileValidationRequest', () => {
+  test('multi-file scoped mode extracts per-file', () => {
+    const file1 = createMockFile(300, 'src/auth.ts')
+    const file2 = createMockFile(50, 'src/utils.ts')
+    const findings1 = [createMockFinding(150)]
+    const findings2 = [createMockFinding(25)]
+    const context = createMockProjectContext()
+
+    const result = buildMultiFileValidationRequest(
+      [
+        { file: file1, findings: findings1 },
+        { file: file2, findings: findings2 },
+      ],
+      context,
+      { contextMode: 'scoped' }
+    )
+
+    // File 1 (large) should have omission
+    expect(result).toContain('FILE 1: src/auth.ts')
+    expect(result).toContain('lines omitted')
+    // File 2 (small) should be full
+    expect(result).toContain('FILE 2: src/utils.ts')
+    // Project context appears once
+    const contextMatches = result.split('## Project Context').length - 1
+    expect(contextMatches).toBe(1)
+  })
+
+  test('multi-file full mode sends all content', () => {
+    const file1 = createMockFile(300, 'src/auth.ts')
+    const findings1 = [createMockFinding(150)]
+    const context = createMockProjectContext()
+
+    const result = buildMultiFileValidationRequest(
+      [{ file: file1, findings: findings1 }],
+      context,
+      { contextMode: 'full' }
+    )
+
+    expect(result).not.toContain('lines omitted')
+    expect(result).toContain(`const line300 = 'value300'`)
+  })
+})
+
+// ============================================================================
+// Taint Annotation Tests
+// ============================================================================
+
+function createMockTaintAnalysis(filePath: string): FileTaintAnalysis {
+  return {
+    filePath,
+    sources: [
+      {
+        line: 12,
+        expression: 'req.params.id',
+        variable: 'id',
+        sourceType: 'http_params',
+        confidence: 'high',
+      },
+    ],
+    taintedVariables: [
+      {
+        name: 'userId',
+        taintedAt: 18,
+        source: {
+          line: 12,
+          expression: 'req.params.id',
+          variable: 'id',
+          sourceType: 'http_params',
+          confidence: 'high',
+        },
+        propagation: 'direct_assignment',
+        sanitised: false,
+        scopeDepth: 0,
+      },
+    ],
+    taintPaths: [
+      {
+        source: {
+          line: 12,
+          expression: 'req.params.id',
+          variable: 'id',
+          sourceType: 'http_params',
+          confidence: 'high',
+        },
+        chain: [
+          {
+            name: 'userId',
+            taintedAt: 18,
+            source: {
+              line: 12,
+              expression: 'req.params.id',
+              variable: 'id',
+              sourceType: 'http_params',
+              confidence: 'high',
+            },
+            propagation: 'direct_assignment',
+            sanitised: false,
+            scopeDepth: 0,
+          },
+        ],
+        sink: {
+          line: 42,
+          expression: 'db.query("SELECT * FROM users WHERE id = " + userId)',
+          sinkType: 'sql_query',
+        },
+        sanitised: false,
+        confidence: 'high',
+      },
+    ],
+    sanitisers: [],
+  }
+}
+
+describe('buildFileTaintSummary', () => {
+  test('returns summary for file with taint data', () => {
+    const analyses = new Map<string, FileTaintAnalysis>()
+    analyses.set('src/test.ts', createMockTaintAnalysis('src/test.ts'))
+
+    const result = buildFileTaintSummary('src/test.ts', analyses)
+
+    expect(result).toContain('Data Flow Analysis')
+    expect(result).toContain('http_params')
+    expect(result).toContain('Taint paths: 1')
+    expect(result).toContain('1 unsanitised')
+  })
+
+  test('returns empty string for file without taint data', () => {
+    const analyses = new Map<string, FileTaintAnalysis>()
+
+    const result = buildFileTaintSummary('src/other.ts', analyses)
+
+    expect(result).toBe('')
+  })
+})
+
+describe('buildFindingTaintAnnotation', () => {
+  test('shows taint path when sink matches finding line', () => {
+    const analyses = new Map<string, FileTaintAnalysis>()
+    analyses.set('src/test.ts', createMockTaintAnalysis('src/test.ts'))
+    const finding = createMockFinding(42, 'sql_injection' as any)
+
+    const result = buildFindingTaintAnnotation(finding, 'src/test.ts', analyses)
+
+    expect(result).toContain('User input reaches this sink')
+    expect(result).toContain('req.params.id')
+    expect(result).toContain('http_params')
+    expect(result).toContain('sql_query')
+    expect(result).toContain('Sanitised: No')
+    expect(result).toContain('Confidence: high')
+  })
+
+  test('shows "no data flow" when file has sources but no matching path', () => {
+    const analyses = new Map<string, FileTaintAnalysis>()
+    analyses.set('src/test.ts', createMockTaintAnalysis('src/test.ts'))
+    const finding = createMockFinding(99) // line 99 has no matching sink
+
+    const result = buildFindingTaintAnnotation(finding, 'src/test.ts', analyses)
+
+    expect(result).toContain('No user-input data flow reaches this line')
+  })
+
+  test('returns empty string when file has no taint analysis', () => {
+    const analyses = new Map<string, FileTaintAnalysis>()
+    const finding = createMockFinding(42)
+
+    const result = buildFindingTaintAnnotation(finding, 'src/test.ts', analyses)
+
+    expect(result).toBe('')
+  })
+})
+
+describe('buildMultiFileValidationRequest with taint data', () => {
+  test('includes taint annotations when taint data provided', () => {
+    const file = createMockFile(50, 'src/test.ts')
+    const finding = createMockFinding(42, 'sql_injection' as any)
+    const context = createMockProjectContext()
+
+    const analyses = new Map<string, FileTaintAnalysis>()
+    analyses.set('src/test.ts', createMockTaintAnalysis('src/test.ts'))
+
+    const result = buildMultiFileValidationRequest(
+      [{ file, findings: [finding] }],
+      context,
+      { contextMode: 'scoped' },
+      analyses
+    )
+
+    expect(result).toContain('Data Flow Analysis')
+    expect(result).toContain('User input reaches this sink')
+  })
+
+  test('no taint annotations when no taint data provided', () => {
+    const file = createMockFile(50, 'src/test.ts')
+    const finding = createMockFinding(42)
+    const context = createMockProjectContext()
+
+    const result = buildMultiFileValidationRequest(
+      [{ file, findings: [finding] }],
+      context,
+      { contextMode: 'scoped' }
+    )
+
+    expect(result).not.toContain('Data Flow Analysis')
+    expect(result).not.toContain('Taint Analysis')
+  })
+})

package/src/{layer3/anthropic → validate}/index.ts

@@ -12,9 +12,10 @@
  * Also provides high-context validation for Layer 1/2 findings.
  */
 
-import type { Vulnerability, ScanFile } from '../../types'
-import type { ProjectContext } from '../../utils/project-context-builder'
-import { buildProjectContext } from '../../utils/project-context-builder'
+import type { Vulnerability, ScanFile } from '../shared/types'
+import type { ContextEngineResult } from '../model/taint-types'
+import type { ProjectContext } from '../model/project-context'
+import { buildProjectContext } from '../model/project-context'
 import type { ValidationStats, AIValidationResult, Layer3Context, AIFinding } from './types'
 import { createInitialStats } from './types'
 import { getAnthropicClient } from './clients'
@@ -25,7 +26,7 @@ import { validateWithAnthropic } from './providers/anthropic'
 
 // Re-export types and functions for backward compatibility
 export type { ValidationStats, AIValidationResult, Layer3Context } from './types'
-export { applyAutoDismissRules } from './auto-dismiss'
+export { applyAutoDismissRules } from '../score/auto-dismiss'
 
 // ============================================================================
 // Layer 3: Deep AI Analysis
@@ -148,7 +149,7 @@ export async function batchAnalyzeWithAI(
 export async function validateFindingsWithAI(
   findings: Vulnerability[],
   files: ScanFile[],
-  projectContext?: ProjectContext,
+  ceResult?: ContextEngineResult,
   onProgress?: (progress: { filesProcessed: number; totalFiles: number; status: string }) => void
 ): Promise<AIValidationResult> {
   // Initialize stats tracking
@@ -162,9 +163,9 @@ export async function validateFindingsWithAI(
   const aiProvider = process.env.AI_PROVIDER || 'openai'
   if (aiProvider === 'anthropic') {
     console.log('[AI Validation] Using Anthropic provider (Claude 3.5 Haiku)')
-    return validateWithAnthropic(findings, files, projectContext, stats, onProgress)
+    return validateWithAnthropic(findings, files, ceResult, stats, onProgress)
   } else {
     console.log('[AI Validation] Using OpenAI provider (GPT-5-mini)')
-    return validateWithOpenAI(findings, files, projectContext, stats)
+    return validateWithOpenAI(findings, files, ceResult, stats)
   }
 }

package/src/{layer3/anthropic → validate}/prompts/index.ts

@@ -11,4 +11,6 @@ export {
 
 export {
   HIGH_CONTEXT_VALIDATION_PROMPT,
+  assembleValidationPrompt,
+  getFullValidationPrompt,
 } from './validation'

package/src/validate/prompts/modules/ai-patterns.ts

@@ -0,0 +1,153 @@
+/**
+ * AI Patterns Module
+ *
+ * Categories: ai_pattern, ai_prompt_injection, ai_unsafe_execution,
+ *             ai_overpermissive_tool, suspicious_package, ai_rag_exfiltration,
+ *             ai_endpoint_unprotected, ai_schema_mismatch, ai_package_hallucination,
+ *             ai_rag_corpus_poisoning, ai_rag_pii_leakage, ai_mcp_tool_poisoning,
+ *             ai_mcp_credential_issue, ai_mcp_confused_deputy,
+ *             ai_mcp_description_injection, ai_mcp_server_shadowing,
+ *             ai_mcp_config_secrets, ai_mcp_config_permissions,
+ *             ai_rag_query_injection, ai_rag_embedding_poisoning,
+ *             ai_rag_chunk_injection, ai_package_typosquat, ai_package_malicious,
+ *             ai_unsafe_model_load, ai_unverified_model, ai_unsafe_finetuning,
+ *             ai_excessive_agency
+ *
+ * Contains AI/LLM-specific patterns that require semantic AI reasoning.
+ */
+
+export const AI_PATTERNS_MODULE = `
+### AI/LLM-Specific Patterns
+
+**Prompt Injection (ai_prompt_injection):**
+- User input in system prompt WITHOUT delimiters (code fences, XML tags, separators) -> **HIGH** (real risk)
+- User input in system prompt WITH clear delimiters -> **INFO** (properly fenced)
+- Static prompts with no user interpolation -> **REJECT** (false positive)
+- Prompt templates using proper parameterization/placeholders -> **REJECT**
+
+**LLM Output Execution (ai_unsafe_execution):**
+- LLM output fed to eval()/Function()/exec() WITHOUT sandbox -> **CRITICAL** (arbitrary code execution)
+- LLM output to execution WITH sandbox (vm2, isolated-vm) -> **MEDIUM** (risk mitigated)
+- LLM output to execution WITH validation AND sandbox -> **LOW** (well-protected)
+- LLM output used for display only (console.log, UI) -> **REJECT** (not execution)
+- Generated SQL from LLM without parameterization -> **CRITICAL** (SQL injection)
+- Generated SQL with parameterized queries -> **MEDIUM** (logic may still be wrong)
+
+**Agent Tool Permissions (ai_overpermissive_tool):**
+- Tool with unrestricted file/network/exec access -> **HIGH** (overpermissive)
+- Tool without user context verification -> **MEDIUM** (missing authorization)
+- Tool with proper scoping, allowlists, and user verification -> **LOW** or **REJECT**
+- Test files with tool definitions -> **INFO** or **REJECT**
+
+**Hallucinated Dependencies (suspicious_package):**
+- Package not found in registry -> **CRITICAL** (likely AI-hallucinated name)
+- Very new package (less than 7 days old) with low downloads and typosquat pattern -> **HIGH**
+- Legitimate looking package with source/repo but low popularity -> **MEDIUM** (needs review)
+- Known legitimate package with unusual name (in allowlist) -> **REJECT**
+
+**CRITICAL AI PATTERN RULES**:
+- AI code generation often produces non-existent package names - flag these prominently
+- Prompt injection is NOT the same as XSS - different threat model and severity
+- Sandboxed code execution (vm2, isolated-vm) significantly reduces risk
+- Agent tools need both access restrictions AND user context verification
+
+### RAG Data Exfiltration (ai_rag_exfiltration)
+Retrieval Augmented Generation systems can leak sensitive data across tenant boundaries.
+
+**Unscoped Retrieval Queries:**
+- Vector store query WITHOUT user/tenant filter -> **HIGH** (cross-tenant data access)
+  - .query(), .search(), .similaritySearch() without filter/where/userId/tenantId parameter
+  - LangChain retriever.invoke() without metadata filter
+  - Pinecone/Chroma/Weaviate query without namespace or metadata filter
+- Query WITH proper scoping (filter by userId/tenantId) -> **REJECT** (properly scoped)
+- Query with RLS-enabled Supabase tables -> **LOW/INFO** (verify RLS policy)
+
+**Raw Context Exposure:**
+- Raw sourceDocuments/chunks returned in API response -> **MEDIUM** (data leak to client)
+- Raw context returned WITHOUT authentication -> **HIGH** (public data leak)
+- Filtered response (only IDs, titles, metadata) -> **REJECT** (properly filtered)
+- Response filtering visible nearby (.map, sanitize, redact) -> **INFO**
+
+**Context Logging:**
+- Logging retrieved documents (debug) -> **INFO** (hygiene, not direct risk)
+- Logging full prompts with context -> **LOW** (audit concern if logs are accessible)
+- Persisting prompts/context to database -> **MEDIUM** (sensitive data retention)
+
+**CRITICAL RAG RULES**:
+- Cross-tenant data access is the PRIMARY risk - always check for user/tenant scoping
+- Authenticated endpoints exposing context are MEDIUM; unauthenticated are HIGH
+- Debug logging is INFO severity - it's not a direct vulnerability
+- If RLS or middleware protection is visible, downgrade significantly
+
+### AI Endpoint Protection (ai_endpoint_unprotected)
+AI/LLM API endpoints can incur significant costs and enable data exfiltration.
+
+**No Authentication + No Rate Limiting -> HIGH:**
+- Endpoint calls OpenAI/Anthropic/etc. without any auth check or rate limit
+- Anyone on the internet can abuse the endpoint and run up API costs
+- Potential for prompt exfiltration or model abuse
+
+**Has Rate Limiting but No Authentication -> MEDIUM:**
+- Rate limit provides some protection against abuse
+- Still allows anonymous access to AI functionality
+- Suggest adding authentication
+
+**Has Authentication but No Rate Limiting -> LOW:**
+- Authenticated users could still abuse the endpoint
+- Suggest adding rate limiting for cost control
+- severity: low (suggest improvement)
+
+**Has Both Auth and Rate Limiting -> INFO/REJECT:**
+- Properly protected endpoint
+- REJECT if both are clearly present
+- INFO if you want to note the good pattern
+
+**BYOK (Bring Your Own Key) Endpoints:**
+- If user provides their own API key, risk is LOWER
+- User pays for their own usage - cost abuse is their problem
+- Downgrade severity by one level for BYOK patterns
+
+**Protected by Middleware:**
+- If project context shows auth middleware protecting the route, downgrade to INFO
+- Internal/admin routes should be INFO or REJECT
+
+**CRITICAL ENDPOINT RULES**:
+- Cost abuse is real - unprotected AI endpoints can bankrupt a startup
+- Rate limiting alone isn't enough - need auth to prevent anonymous abuse
+- BYOK endpoints have lower risk since user bears the cost
+- Check for middleware protection before flagging
+
+### Schema/Tooling Mismatch (ai_schema_mismatch)
+AI-generated structured outputs need validation before use in security-sensitive contexts.
+
+**Unvalidated AI Output Parsing:**
+- JSON.parse(response.content) without schema validation -> **MEDIUM**
+  - AI may return malformed or unexpected structures
+  - Suggest zod/ajv/joi validation
+- AI output to EXECUTION SINK (eval, exec, query) without validation -> **HIGH**
+  - Direct path to code/SQL injection
+- AI output to DISPLAY only (console.log, UI render) -> **REJECT**
+  - Not a security issue for display purposes
+- OpenAI Structured Outputs (json_schema in request) -> **REJECT**
+  - API-level validation provides guarantees
+
+**Weak Schema Patterns:**
+- response: any at API boundary -> **MEDIUM** (no type safety)
+- z.any() or z.unknown() -> **LOW** (defeats purpose of validation)
+- z.passthrough() -> **INFO** (allows extra properties, minor concern)
+- Specific schema defined and used -> **REJECT** (properly validated)
+
+**Tool Parameter Validation:**
+- Tool parameter -> file path without validation -> **HIGH** (path traversal)
+- Tool parameter -> shell command without validation -> **CRITICAL** (command injection)
+- Tool parameter -> URL without validation -> **HIGH** (SSRF)
+- Tool parameter -> DB query without validation -> **HIGH** (SQL injection)
+- Tool parameter with allowlist check visible -> **LOW/REJECT** (mitigated)
+
+**CRITICAL SCHEMA RULES**:
+- The severity depends on WHERE the AI output is used, not just that it's parsed
+- Execution sinks (eval, exec, query, fs) need HIGH severity without validation
+- Display-only usage is NOT a security issue
+- Schema validation (zod, ajv, joi) significantly reduces risk
+- OpenAI Structured Outputs provide API-level guarantees
+`

package/src/validate/prompts/modules/auth-access.ts

@@ -0,0 +1,22 @@
+/**
+ * Auth Access Prompt Module
+ *
+ * Categories: missing_auth, security_bypass
+ * Contains contradiction handling rules that require AI reasoning.
+ * Heuristic-handled patterns (middleware awareness, throwing helpers) are NOT included.
+ */
+
+export const AUTH_ACCESS_MODULE = `
+### Authentication & Access Control
+
+Flag as REAL vulnerability (keep high severity) ONLY when:
+- Route has no visible auth check AND is NOT covered by middleware AND has no throwing auth helper
+- Sensitive operations without user scoping (cross-tenant access possible)
+- Auth checks that can be bypassed (e.g., checking wrong variable)
+
+**CRITICAL CONTRADICTION HANDLING**:
+- If we detect both "protected by middleware" and "missing auth" on the same route - REJECT the "missing auth" finding
+- If we detect both "uses throwing auth helper" and "missing auth" - REJECT the "missing auth" finding
+- Client components calling these protected API routes should NOT be flagged for "missing auth"
+- Adding "if (!userId)" after a throwing helper is a FALSE POSITIVE - reject it
+`