@oculum/scanner 1.0.12 → 1.0.13

package/dist/detect/secrets/patterns.js

@@ -0,0 +1,518 @@
+"use strict";
+/**
+ * Layer 1: Known Pattern Matching
+ * Curated library of high-fidelity regex patterns for detecting secrets
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SECRET_PATTERNS = void 0;
+exports.detectKnownPatterns = detectKnownPatterns;
+const file_classifier_1 = require("../../parse/file-classifier");
+// Base confidence for known API key format patterns (AWS, GitHub, Stripe, etc.)
+const BASE_CONFIDENCE_KNOWN = 0.70;
+// Base confidence for generic secret patterns (api_key=, secret_key=, etc.)
+const BASE_CONFIDENCE_GENERIC = 0.50;
+// Check if file is documentation/README
+function isDocumentationFile(filePath) {
+    const docPatterns = [
+        /README/i,
+        /CHANGELOG/i,
+        /CONTRIBUTING/i,
+        /LICENSE/i,
+        /CODE_OF_CONDUCT/i,
+        /SECURITY/i,
+        /AUTHORS/i,
+        /HISTORY/i,
+        /\.md$/i,
+        /\.mdx$/i,
+        /\.rst$/i, // reStructuredText
+        /\.adoc$/i, // AsciiDoc
+        /\.txt$/i, // Plain text docs
+        /\/docs\//i,
+        /\/documentation\//i,
+        /\/wiki\//i,
+        /\/guides?\//i,
+        /\/tutorials?\//i,
+        /\/examples?\//i, // Example directories often have sample configs
+    ];
+    return docPatterns.some(p => p.test(filePath));
+}
+// Check if value is a masked/redacted string (for safe logging)
+function isMaskedOrRedactedString(value) {
+    const maskedPatterns = [
+        /\*{3,}/, // Three or more asterisks: ***
+        /^\w+:\/\/\*+$/, // Protocol with just asterisks: redis://***
+        /^\w+:\/\/\*{3,}$/, // Same pattern
+        /\[REDACTED\]/i, // [REDACTED]
+        /\[MASKED\]/i, // [MASKED]
+        /\[HIDDEN\]/i, // [HIDDEN]
+        /\[REMOVED\]/i, // [REMOVED]
+        /\[SECRET\]/i, // [SECRET]
+        /<REDACTED>/i, // <REDACTED>
+        /<MASKED>/i, // <MASKED>
+        /x{4,}/i, // xxxx (4+ x's)
+        /^\*+:/, // ***: at start (masked user)
+    ];
+    return maskedPatterns.some(p => p.test(value));
+}
+// Check if line contains example/sample placeholder values (not real secrets)
+function isExamplePlaceholder(line, value) {
+    // First check if this is a masked/redacted string for safe logging
+    if (isMaskedOrRedactedString(value)) {
+        return true;
+    }
+    const placeholderPatterns = [
+        // Common placeholder indicators in the line context
+        /example/i,
+        /sample/i,
+        /demo/i,
+        /placeholder/i,
+        /your[_-]?api[_-]?key/i,
+        /your[_-]?secret/i,
+        /replace[_-]?with/i,
+        /insert[_-]?here/i,
+        /xxx+/i,
+        /yyy+/i,
+        /todo/i,
+        /fixme/i,
+    ];
+    // Check if the value itself looks like a placeholder
+    const valuePlaceholderPatterns = [
+        /^your[_-]/i,
+        /^my[_-]/i,
+        /^test[_-]/i,
+        /^sample[_-]/i,
+        /^example[_-]/i,
+        /^demo[_-]/i,
+        /^placeholder/i,
+        /^xxx+$/i,
+        /^yyy+$/i,
+        /^\*+$/, // Just asterisks
+        /^\.{3,}$/, // Just dots
+        /^<.*>$/, // Angle bracket placeholders like <YOUR_KEY>
+        /^\[.*\]$/, // Square bracket placeholders like [YOUR_KEY]
+        /^\{.*\}$/, // Curly bracket placeholders like {YOUR_KEY}
+    ];
+    return placeholderPatterns.some(p => p.test(line)) ||
+        valuePlaceholderPatterns.some(p => p.test(value));
+}
+// Check if the variable name indicates test/mock data
+function hasTestVariableName(line) {
+    const varNamePatterns = [
+        // JS/TS variable declarations: const TEST_API_KEY = "..."
+        /(?:const|let|var|export\s+const|export\s+let)\s+([A-Z_][A-Z0-9_]*)\s*=/i,
+        // Object property shorthand or assignment: TEST_KEY: "..." or "testKey": "..."
+        /([A-Z_][A-Z0-9_]*)\s*:\s*['"`]/,
+        // JSON-style keys: "test_key": or 'testKey':
+        /['"]([a-zA-Z_][a-zA-Z0-9_]*)['"]\s*:/,
+    ];
+    // Keywords that indicate test/mock data when in variable names
+    const testKeywords = /^(TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE|PLACEHOLDER|DEMO)[_A-Z0-9]*$/i;
+    const testSuffixes = /_?(TEST|MOCK|EXAMPLE|DUMMY|FAKE|SAMPLE)$/i;
+    for (const pattern of varNamePatterns) {
+        const match = line.match(pattern);
+        if (match && match[1]) {
+            const varName = match[1];
+            if (testKeywords.test(varName) || testSuffixes.test(varName)) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+// Comprehensive list of secret patterns with specific prefixes
+exports.SECRET_PATTERNS = [
+    // API Keys with known prefixes
+    {
+        name: 'OpenAI API Key',
+        pattern: /sk-[a-zA-Z0-9]{20,}/g,
+        severity: 'critical',
+        description: 'OpenAI API key detected',
+    },
+    {
+        name: 'OpenAI Project API Key',
+        pattern: /sk-proj-[a-zA-Z0-9]{48,}/g,
+        severity: 'critical',
+        description: 'OpenAI project API key detected (new format)',
+    },
+    {
+        name: 'Anthropic API Key',
+        pattern: /sk-ant-[a-zA-Z0-9-]{20,}/g,
+        severity: 'critical',
+        description: 'Anthropic API key detected',
+    },
+    {
+        name: 'Anthropic API Key (Full)',
+        pattern: /sk-ant-api03-[a-zA-Z0-9_-]{90,}/g,
+        severity: 'critical',
+        description: 'Anthropic API key detected (full format)',
+    },
+    {
+        name: 'GitHub Token',
+        pattern: /ghp_[a-zA-Z0-9]{36,}/g,
+        severity: 'critical',
+        description: 'GitHub personal access token detected',
+    },
+    {
+        name: 'GitHub OAuth Token',
+        pattern: /gho_[a-zA-Z0-9]{36,}/g,
+        severity: 'critical',
+        description: 'GitHub OAuth token detected',
+    },
+    {
+        name: 'GitHub App Token',
+        pattern: /ghu_[a-zA-Z0-9]{36,}/g,
+        severity: 'critical',
+        description: 'GitHub App user token detected',
+    },
+    {
+        name: 'GitHub Refresh Token',
+        pattern: /ghr_[a-zA-Z0-9]{36,}/g,
+        severity: 'critical',
+        description: 'GitHub refresh token detected',
+    },
+    {
+        name: 'Stripe Secret Key',
+        pattern: /sk_live_[a-zA-Z0-9]{24,}/g,
+        severity: 'critical',
+        description: 'Stripe live secret key detected',
+    },
+    {
+        name: 'Stripe Test Key',
+        pattern: /sk_test_[a-zA-Z0-9]{24,}/g,
+        severity: 'medium',
+        description: 'Stripe test secret key detected',
+    },
+    {
+        name: 'Stripe Publishable Key',
+        pattern: /pk_(live|test)_[a-zA-Z0-9]{24,}/g,
+        severity: 'low',
+        description: 'Stripe publishable key detected (usually safe but verify)',
+    },
+    {
+        name: 'Square Access Token',
+        pattern: /sq0csp-[a-zA-Z0-9-_]{43}/g,
+        severity: 'critical',
+        description: 'Square access token detected',
+    },
+    {
+        name: 'AWS Access Key ID',
+        pattern: /AKIA[0-9A-Z]{16}/g,
+        severity: 'critical',
+        description: 'AWS Access Key ID detected',
+    },
+    {
+        name: 'AWS Secret Access Key',
+        // AWS secret keys are exactly 40 chars, base64-like, and typically appear near AWS context
+        // The pattern requires it to be in an AWS-related context (variable name, nearby AKIA, etc.)
+        pattern: /(?:aws[_-]?secret[_-]?(?:access[_-]?)?key|secret[_-]?access[_-]?key|AWS_SECRET)\s*[:=]\s*['"`]?([a-zA-Z0-9/+=]{40})['"`]?/gi,
+        severity: 'critical',
+        description: 'AWS Secret Access Key detected',
+    },
+    {
+        name: 'Google API Key',
+        pattern: /AIza[0-9A-Za-z-_]{35}/g,
+        severity: 'high',
+        description: 'Google API key detected',
+    },
+    {
+        name: 'Slack Token',
+        pattern: /xox[baprs]-[0-9a-zA-Z]{10,}/g,
+        severity: 'critical',
+        description: 'Slack token detected',
+    },
+    {
+        name: 'Slack Webhook',
+        pattern: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/g,
+        severity: 'high',
+        description: 'Slack webhook URL detected',
+    },
+    {
+        name: 'Discord Webhook',
+        pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+/g,
+        severity: 'high',
+        description: 'Discord webhook URL detected',
+    },
+    {
+        name: 'Twilio API Key',
+        pattern: /SK[a-f0-9]{32}/g,
+        severity: 'critical',
+        description: 'Twilio API key detected',
+    },
+    {
+        name: 'SendGrid API Key',
+        pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g,
+        severity: 'critical',
+        description: 'SendGrid API key detected',
+    },
+    {
+        name: 'Mailgun API Key',
+        pattern: /key-[a-zA-Z0-9]{32}/g,
+        severity: 'critical',
+        description: 'Mailgun API key detected',
+    },
+    {
+        name: 'Firebase API Key',
+        pattern: /AIza[0-9A-Za-z-_]{35}/g,
+        severity: 'high',
+        description: 'Firebase API key detected',
+    },
+    {
+        name: 'Supabase Anon Key',
+        pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g,
+        severity: 'low',
+        description: 'Supabase anon key detected (usually safe for client-side)',
+    },
+    {
+        name: 'Supabase Service Role Key',
+        pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g,
+        severity: 'critical',
+        description: 'JWT token detected - verify if this is a service role key',
+    },
+    {
+        name: 'Heroku API Key',
+        pattern: /[h|H][e|E][r|R][o|O][k|K][u|U].*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/gi,
+        severity: 'critical',
+        description: 'Heroku API key detected',
+    },
+    {
+        name: 'NPM Token',
+        pattern: /npm_[a-zA-Z0-9]{36}/g,
+        severity: 'critical',
+        description: 'NPM access token detected',
+    },
+    {
+        name: 'PyPI Token',
+        pattern: /pypi-[a-zA-Z0-9]{32,}/g,
+        severity: 'critical',
+        description: 'PyPI API token detected',
+    },
+    {
+        name: 'Private Key',
+        pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+        severity: 'critical',
+        description: 'Private key detected',
+    },
+    {
+        name: 'Generic Password in URL',
+        pattern: /[a-zA-Z]{3,10}:\/\/[^:]+:[^@]+@/g,
+        severity: 'high',
+        description: 'Password in URL detected',
+    },
+    {
+        name: 'Database Connection String',
+        // Only match connection strings WITH credentials (user:pass@ pattern)
+        // Skip credential-less URLs like redis://redis:6379 (Docker internal)
+        pattern: /(mongodb|postgres|mysql|redis|amqp)(\+srv)?:\/\/[^:@\s"']+:[^@\s"']+@[^\s"']+/gi,
+        severity: 'high',
+        description: 'Database connection string with credentials detected',
+    },
+    // Additional patterns from checklist
+    {
+        name: 'Hardcoded JWT Token',
+        pattern: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g,
+        severity: 'high',
+        description: 'Hardcoded JWT token detected',
+    },
+    {
+        name: 'PostgreSQL Connection String',
+        pattern: /postgres:\/\/[^:]+:[^@]+@[^\s"']+/gi,
+        severity: 'critical',
+        description: 'PostgreSQL connection string with credentials detected',
+    },
+    {
+        name: 'MongoDB Connection String',
+        pattern: /mongodb(\+srv)?:\/\/[^:]+:[^@]+@[^\s"']+/gi,
+        severity: 'critical',
+        description: 'MongoDB connection string with credentials detected',
+    },
+    {
+        name: 'MySQL Connection String',
+        pattern: /mysql:\/\/[^:]+:[^@]+@[^\s"']+/gi,
+        severity: 'critical',
+        description: 'MySQL connection string with credentials detected',
+    },
+    {
+        name: 'Generic API Key Assignment',
+        pattern: /['"']?api[_-]?key['"']?\s*[:=]\s*['"][a-zA-Z0-9_-]{20,}['"]/gi,
+        severity: 'medium',
+        description: 'Possible API key assignment detected - requires validation',
+    },
+    {
+        name: 'Generic Secret Key Assignment',
+        pattern: /['"']?secret[_-]?key['"']?\s*[:=]\s*['"][a-zA-Z0-9_-]{20,}['"]/gi,
+        severity: 'medium',
+        description: 'Possible secret key assignment detected - requires validation',
+    },
+    {
+        name: 'Vercel Token',
+        pattern: /vercel_[a-zA-Z0-9]{24,}/gi,
+        severity: 'critical',
+        description: 'Vercel API token detected',
+    },
+    {
+        name: 'Netlify Token',
+        pattern: /nfp_[a-zA-Z0-9]{40,}/gi,
+        severity: 'critical',
+        description: 'Netlify personal access token detected',
+    },
+    {
+        name: 'Cloudflare API Token',
+        pattern: /[a-zA-Z0-9_-]{40}(?=.*cloudflare)/gi,
+        severity: 'high',
+        description: 'Potential Cloudflare API token detected',
+    },
+];
+function detectKnownPatterns(content, filePath, options) {
+    const vulnerabilities = [];
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    // Skip example files entirely
+    if ((0, file_classifier_1.isExampleFile)(filePath)) {
+        return vulnerabilities;
+    }
+    // Skip scanner/fixture files to avoid self-detection
+    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath)) {
+        return vulnerabilities;
+    }
+    // Skip documentation/README files
+    if (isDocumentationFile(filePath)) {
+        return vulnerabilities;
+    }
+    // Check context for file-level decisions
+    const isServerFile = (0, file_classifier_1.isServerOnlyFile)(filePath);
+    const isTestFile = (0, file_classifier_1.isTestOrMockFile)(filePath);
+    const isPython = (0, file_classifier_1.isPythonFile)(filePath);
+    for (const secretPattern of exports.SECRET_PATTERNS) {
+        lines.forEach((line, index) => {
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(line))
+                return;
+            // Skip Python docstrings - they often contain example connection strings
+            // and other documentation that shouldn't be flagged
+            if (isPython && (0, file_classifier_1.isInsidePythonDocstring)(lines, index)) {
+                return;
+            }
+            // Reset regex state
+            const regex = new RegExp(secretPattern.pattern.source, secretPattern.pattern.flags);
+            let match;
+            while ((match = regex.exec(line)) !== null) {
+                const value = match[0];
+                // Skip placeholder values
+                if ((0, file_classifier_1.isPlaceholderValue)(value, line)) {
+                    continue;
+                }
+                // Skip obvious example/sample values
+                if (/example|sample|demo|test|dummy|fake|mock/i.test(value)) {
+                    continue;
+                }
+                // Skip values that look like format descriptions
+                if (/^[a-z]+_[a-z]+_[a-z]+$/i.test(value) || /^your[_-]/i.test(value)) {
+                    continue;
+                }
+                // Skip example/placeholder values (more comprehensive check)
+                if (isExamplePlaceholder(line, value)) {
+                    continue;
+                }
+                // Skip secrets in variables with test/mock names (e.g., TEST_API_KEY, MOCK_SECRET)
+                if (hasTestVariableName(line)) {
+                    continue;
+                }
+                // Check for BYOK (Bring Your Own Key) context - this is a feature, not a vulnerability
+                if ((0, file_classifier_1.isBYOKContext)(line, filePath)) {
+                    // Skip BYOK patterns entirely if they're properly handled in server context
+                    if (isServerFile && (0, file_classifier_1.isEnvVarReference)(line)) {
+                        continue;
+                    }
+                    // For client-side BYOK forms, we still don't flag - it's user input
+                    // Only flag if it's a hardcoded key being exposed
+                    if (!(0, file_classifier_1.isEnvVarReference)(line) && line.includes('=') && /['"`][a-zA-Z0-9_-]{20,}['"`]/.test(line)) {
+                        // This might be a hardcoded default key in a BYOK context - needs review
+                    }
+                    else {
+                        continue;
+                    }
+                }
+                // Determine severity based on context
+                let adjustedSeverity = secretPattern.severity;
+                let requiresAIValidation = false;
+                let adjustedDescription = secretPattern.description;
+                let adjustedConfidence = 'high';
+                // Check if this is a Supabase service role key or JWT
+                const isSupabaseOrJWT = secretPattern.name.includes('Supabase') ||
+                    secretPattern.name.includes('JWT') ||
+                    /eyJ[a-zA-Z0-9_-]+\.eyJ/.test(value);
+                if (isSupabaseOrJWT) {
+                    // Use the comprehensive service role context checker
+                    const serviceRoleContext = (0, file_classifier_1.getServiceRoleKeyContext)(line, filePath);
+                    if (serviceRoleContext === 'safe_server') {
+                        // Server-only + env var = expected pattern, skip entirely
+                        continue;
+                    }
+                    else if (serviceRoleContext === 'client_exposure') {
+                        // Client exposure = critical
+                        adjustedSeverity = 'critical';
+                        requiresAIValidation = true;
+                        adjustedDescription = (0, file_classifier_1.isNextPublicEnvVar)(line)
+                            ? `${secretPattern.description} - EXPOSED via NEXT_PUBLIC_ prefix (client-accessible)`
+                            : `${secretPattern.description} - may be exposed to client bundle`;
+                    }
+                    else {
+                        // needs_review - check more context
+                        if ((0, file_classifier_1.isEnvVarReference)(line)) {
+                            // Using env var but context unclear - validate
+                            adjustedSeverity = 'medium';
+                            requiresAIValidation = true;
+                            adjustedDescription = `${secretPattern.description} - verify this is not exposed to client`;
+                        }
+                        else if (isServerFile) {
+                            // Hardcoded in server file - bad but not critical
+                            adjustedSeverity = 'high';
+                            requiresAIValidation = true;
+                            adjustedDescription = `${secretPattern.description} - hardcoded in server file, should use env var`;
+                        }
+                        else {
+                            // Hardcoded in unknown context - critical + needs validation
+                            adjustedSeverity = 'critical';
+                            requiresAIValidation = true;
+                            adjustedDescription = `${secretPattern.description} - hardcoded secret may be exposed`;
+                        }
+                    }
+                }
+                // Downgrade test file severity
+                if (isTestFile) {
+                    if (adjustedSeverity === 'critical') {
+                        adjustedSeverity = 'medium';
+                    }
+                    else if (adjustedSeverity === 'high') {
+                        adjustedSeverity = 'low';
+                    }
+                    else {
+                        adjustedSeverity = 'info';
+                    }
+                    adjustedConfidence = 'low';
+                    adjustedDescription = `${adjustedDescription} (in test file)`;
+                }
+                // Generic patterns always require AI validation
+                const isGenericPattern = secretPattern.name.includes('Generic');
+                const finalRequiresAIValidation = requiresAIValidation || isGenericPattern;
+                vulnerabilities.push({
+                    id: `pattern-${filePath}-${index + 1}-${secretPattern.name}`,
+                    filePath,
+                    lineNumber: index + 1,
+                    lineContent: line.trim(),
+                    severity: adjustedSeverity,
+                    category: 'hardcoded_secret',
+                    title: secretPattern.name,
+                    description: adjustedDescription,
+                    suggestedFix: 'Move this secret to an environment variable. Never commit secrets to version control.',
+                    confidence: adjustedConfidence,
+                    baseConfidence: isGenericPattern ? BASE_CONFIDENCE_GENERIC : BASE_CONFIDENCE_KNOWN,
+                    layer: 1,
+                    source: 'secrets',
+                    requiresAIValidation: finalRequiresAIValidation,
+                });
+            }
+        });
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=patterns.js.map

package/dist/detect/secrets/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/detect/secrets/patterns.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAkYH,kDA2KC;AAziBD,iEAaoC;AAEpC,gFAAgF;AAChF,MAAM,qBAAqB,GAAG,IAAI,CAAA;AAClC,4EAA4E;AAC5E,MAAM,uBAAuB,GAAG,IAAI,CAAA;AAEpC,wCAAwC;AACxC,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,MAAM,WAAW,GAAG;QAClB,SAAS;QACT,YAAY;QACZ,eAAe;QACf,UAAU;QACV,kBAAkB;QAClB,WAAW;QACX,UAAU;QACV,UAAU;QACV,QAAQ;QACR,SAAS;QACT,SAAS,EAAS,mBAAmB;QACrC,UAAU,EAAQ,WAAW;QAC7B,SAAS,EAAS,kBAAkB;QACpC,WAAW;QACX,oBAAoB;QACpB,WAAW;QACX,cAAc;QACd,iBAAiB;QACjB,gBAAgB,EAAG,gDAAgD;KACpE,CAAA;IACD,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AAChD,CAAC;AAED,gEAAgE;AAChE,SAAS,wBAAwB,CAAC,KAAa;IAC7C,MAAM,cAAc,GAAG;QACrB,QAAQ,EAAuB,+BAA+B;QAC9D,eAAe,EAAgB,4CAA4C;QAC3E,kBAAkB,EAAa,eAAe;QAC9C,eAAe,EAAgB,aAAa;QAC5C,aAAa,EAAkB,WAAW;QAC1C,aAAa,EAAkB,WAAW;QAC1C,cAAc,EAAiB,YAAY;QAC3C,aAAa,EAAkB,WAAW;QAC1C,aAAa,EAAkB,aAAa;QAC5C,WAAW,EAAoB,WAAW;QAC1C,QAAQ,EAAuB,gBAAgB;QAC/C,OAAO,EAAwB,8BAA8B;KAC9D,CAAA;IAED,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAA;AAChD,CAAC;AAED,8EAA8E;AAC9E,SAAS,oBAAoB,CAAC,IAAY,EAAE,KAAa;IACvD,mEAAmE;IACnE,IAAI,wBAAwB,CAAC,KAAK,CAAC,EAAE,CAAC;QACpC,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,mBAAmB,GAAG;QAC1B,oDAAoD;QACpD,UAAU;QACV,SAAS;QACT,OAAO;QACP,cAAc;QACd,uBAAuB;QACvB,kBAAkB;QAClB,mBAAmB;QACnB,kBAAkB;QAClB,OAAO;QACP,OAAO;QACP,OAAO;QACP,QAAQ;KACT,CAAA;IAED,qDAAqD;IACrD,MAAM,wBAAwB,GAAG;QAC/B,YAAY;QACZ,UAAU;QACV,YAAY;QACZ,cAAc;QACd,eAAe;QACf,YAAY;QACZ,eAAe;QACf,SAAS;QACT,SAAS;QACT,OAAO,EAAY,iBAAiB;QACpC,UAAU,EAAS,YAAY;QAC/B,QAAQ,EAAW,6CAA6C;QAChE,UAAU,EAAS,8CAA8C;QACjE,UAAU,EAAS,6CAA6C;KACjE,CAAA;IAED,OAAO,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAA;AAC1D,CAAC;AAED,sDAAsD;AACtD,SAAS,mBAAmB,CAAC,IAAY;IACvC,MAAM,eAAe,GAAG;QACtB,0DAA0D;QAC1D,yEAAyE;QACzE,+EAA+E;QAC/E,gCAAgC;QAChC,6CAA6C;QAC7C,sCAAsC;KACvC,CAAA;IAED,+DAA+D;IAC/D,MAAM,YAAY,GAAG,qEAAqE,CAAA;IAC1F,MAAM,YAAY,GAAG,2CAA2C,CAAA;IAEhE,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QACjC,IAAI,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YACxB,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC7D,OAAO,IAAI,CAAA;YACb,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,+DAA+D;AAClD,QAAA,eAAe,GAAoB;IAC9C,+BAA+B;IAC/B;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yBAAyB;KACvC;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,8CAA8C;KAC5D;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,4BAA4B;KAC1C;IACD;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,kCAAkC;QAC3C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,0CAA0C;KACxD;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uCAAuC;KACrD;IACD;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,6BAA6B;KAC3C;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gCAAgC;KAC9C;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,uBAAuB;QAChC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+BAA+B;KAC7C;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iCAAiC;KAC/C;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,iCAAiC;KAC/C;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,kCAAkC;QAC3C,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,2DAA2D;KACzE;IACD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,mBAAmB;QAC5B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,4BAA4B;KAC1C;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,2FAA2F;QAC3F,6FAA6F;QAC7F,OAAO,EAAE,6HAA6H;QACtI,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gCAAgC;KAC9C;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yBAAyB;KACvC;IACD;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,8BAA8B;QACvC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sBAAsB;KACpC;IACD;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,uFAAuF;QAChG,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,4BAA4B;KAC1C;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,wEAAwE;QACjF,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,iBAAiB;QAC1B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yBAAyB;KACvC;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2BAA2B;KACzC;IACD;QACE,IAAI,EAAE,iBAAiB;QACvB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,0BAA0B;KACxC;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2BAA2B;KACzC;IACD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,2DAA2D;KACzE;IACD;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2DAA2D;KACzE;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,gGAAgG;QACzG,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yBAAyB;KACvC;IACD;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2BAA2B;KACzC;IACD;QACE,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yBAAyB;KACvC;IACD;QACE,IAAI,EAAE,aAAa;QACnB,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,sBAAsB;KACpC;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,kCAAkC;QAC3C,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0BAA0B;KACxC;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,sEAAsE;QACtE,sEAAsE;QACtE,OAAO,EAAE,iFAAiF;QAC1F,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sDAAsD;KACpE;IACD,qCAAqC;IACrC;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,mEAAmE;QAC5E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8BAA8B;KAC5C;IACD;QACE,IAAI,EAAE,8BAA8B;QACpC,OAAO,EAAE,qCAAqC;QAC9C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wDAAwD;KACtE;IACD;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,4CAA4C;QACrD,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qDAAqD;KACnE;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,kCAAkC;QAC3C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mDAAmD;KACjE;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,+DAA+D;QACxE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4DAA4D;KAC1E;IACD;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,kEAAkE;QAC3E,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,+DAA+D;KAC7E;IACD;QACE,IAAI,EAAE,cAAc;QACpB,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2BAA2B;KACzC;IACD;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wCAAwC;KACtD;IACD;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,qCAAqC;QAC9C,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yCAAyC;KACvD;CACF,CAAA;AAED,SAAgB,mBAAmB,CACjC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAC3C,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,8BAA8B;IAC9B,IAAI,IAAA,+BAAa,EAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC,EAAE,CAAC;QACrC,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,kCAAkC;IAClC,IAAI,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClC,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,yCAAyC;IACzC,MAAM,YAAY,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC/C,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC7C,MAAM,QAAQ,GAAG,IAAA,8BAAY,EAAC,QAAQ,CAAC,CAAA;IAEvC,KAAK,MAAM,aAAa,IAAI,uBAAe,EAAE,CAAC;QAC5C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;YAC5B,gBAAgB;YAChB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;gBAAE,OAAM;YAE3B,yEAAyE;YACzE,oDAAoD;YACpD,IAAI,QAAQ,IAAI,IAAA,yCAAuB,EAAC,KAAK,EAAE,KAAK,CAAC,EAAE,CAAC;gBACtD,OAAM;YACR,CAAC;YAED,oBAAoB;YACpB,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,aAAa,CAAC,OAAO,CAAC,MAAM,EAAE,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YACnF,IAAI,KAAK,CAAA;YAET,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;gBAEtB,0BAA0B;gBAC1B,IAAI,IAAA,oCAAkB,EAAC,KAAK,EAAE,IAAI,CAAC,EAAE,CAAC;oBACpC,SAAQ;gBACV,CAAC;gBAED,qCAAqC;gBACrC,IAAI,2CAA2C,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC5D,SAAQ;gBACV,CAAC;gBAED,iDAAiD;gBACjD,IAAI,yBAAyB,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBACtE,SAAQ;gBACV,CAAC;gBAED,6DAA6D;gBAC7D,IAAI,oBAAoB,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;oBACtC,SAAQ;gBACV,CAAC;gBAED,mFAAmF;gBACnF,IAAI,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9B,SAAQ;gBACV,CAAC;gBAED,uFAAuF;gBACvF,IAAI,IAAA,+BAAa,EAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;oBAClC,4EAA4E;oBAC5E,IAAI,YAAY,IAAI,IAAA,mCAAiB,EAAC,IAAI,CAAC,EAAE,CAAC;wBAC5C,SAAQ;oBACV,CAAC;oBACD,oEAAoE;oBACpE,kDAAkD;oBAClD,IAAI,CAAC,IAAA,mCAAiB,EAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAChG,yEAAyE;oBAC3E,CAAC;yBAAM,CAAC;wBACN,SAAQ;oBACV,CAAC;gBACH,CAAC;gBAED,sCAAsC;gBACtC,IAAI,gBAAgB,GAAG,aAAa,CAAC,QAAQ,CAAA;gBAC7C,IAAI,oBAAoB,GAAG,KAAK,CAAA;gBAChC,IAAI,mBAAmB,GAAG,aAAa,CAAC,WAAW,CAAA;gBACnD,IAAI,kBAAkB,GAA8B,MAAM,CAAA;gBAE1D,sDAAsD;gBACtD,MAAM,eAAe,GACnB,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;oBACvC,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAClC,wBAAwB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;gBAEtC,IAAI,eAAe,EAAE,CAAC;oBACpB,qDAAqD;oBACrD,MAAM,kBAAkB,GAAG,IAAA,0CAAwB,EAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;oBAEnE,IAAI,kBAAkB,KAAK,aAAa,EAAE,CAAC;wBACzC,0DAA0D;wBAC1D,SAAQ;oBACV,CAAC;yBAAM,IAAI,kBAAkB,KAAK,iBAAiB,EAAE,CAAC;wBACpD,6BAA6B;wBAC7B,gBAAgB,GAAG,UAAU,CAAA;wBAC7B,oBAAoB,GAAG,IAAI,CAAA;wBAC3B,mBAAmB,GAAG,IAAA,oCAAkB,EAAC,IAAI,CAAC;4BAC5C,CAAC,CAAC,GAAG,aAAa,CAAC,WAAW,wDAAwD;4BACtF,CAAC,CAAC,GAAG,aAAa,CAAC,WAAW,oCAAoC,CAAA;oBACtE,CAAC;yBAAM,CAAC;wBACN,oCAAoC;wBACpC,IAAI,IAAA,mCAAiB,EAAC,IAAI,CAAC,EAAE,CAAC;4BAC5B,+CAA+C;4BAC/C,gBAAgB,GAAG,QAAQ,CAAA;4BAC3B,oBAAoB,GAAG,IAAI,CAAA;4BAC3B,mBAAmB,GAAG,GAAG,aAAa,CAAC,WAAW,yCAAyC,CAAA;wBAC7F,CAAC;6BAAM,IAAI,YAAY,EAAE,CAAC;4BACxB,kDAAkD;4BAClD,gBAAgB,GAAG,MAAM,CAAA;4BACzB,oBAAoB,GAAG,IAAI,CAAA;4BAC3B,mBAAmB,GAAG,GAAG,aAAa,CAAC,WAAW,iDAAiD,CAAA;wBACrG,CAAC;6BAAM,CAAC;4BACN,6DAA6D;4BAC7D,gBAAgB,GAAG,UAAU,CAAA;4BAC7B,oBAAoB,GAAG,IAAI,CAAA;4BAC3B,mBAAmB,GAAG,GAAG,aAAa,CAAC,WAAW,oCAAoC,CAAA;wBACxF,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,+BAA+B;gBAC/B,IAAI,UAAU,EAAE,CAAC;oBACf,IAAI,gBAAgB,KAAK,UAAU,EAAE,CAAC;wBACpC,gBAAgB,GAAG,QAAQ,CAAA;oBAC7B,CAAC;yBAAM,IAAI,gBAAgB,KAAK,MAAM,EAAE,CAAC;wBACvC,gBAAgB,GAAG,KAAK,CAAA;oBAC1B,CAAC;yBAAM,CAAC;wBACN,gBAAgB,GAAG,MAAM,CAAA;oBAC3B,CAAC;oBACD,kBAAkB,GAAG,KAAK,CAAA;oBAC1B,mBAAmB,GAAG,GAAG,mBAAmB,iBAAiB,CAAA;gBAC/D,CAAC;gBAED,gDAAgD;gBAChD,MAAM,gBAAgB,GAAG,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;gBAC/D,MAAM,yBAAyB,GAAG,oBAAoB,IAAI,gBAAgB,CAAA;gBAE1E,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,WAAW,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,aAAa,CAAC,IAAI,EAAE;oBAC5D,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,gBAAgB;oBAC1B,QAAQ,EAAE,kBAAkB;oBAC5B,KAAK,EAAE,aAAa,CAAC,IAAI;oBACzB,WAAW,EAAE,mBAAmB;oBAChC,YAAY,EAAE,uFAAuF;oBACrG,UAAU,EAAE,kBAAkB;oBAC9B,cAAc,EAAE,gBAAgB,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,qBAAqB;oBAClF,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,SAAkB;oBACxB,oBAAoB,EAAE,yBAAyB;iBAChD,CAAC,CAAA;YACJ,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/secrets/weak-crypto.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Layer 1: Weak Cryptography Detection
+ * Detects usage of deprecated or weak cryptographic algorithms
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+export declare function detectWeakCrypto(content: string, filePath: string, options?: {
+    parsed?: ParsedFile;
+}): Vulnerability[];
+//# sourceMappingURL=weak-crypto.d.ts.map

package/dist/detect/secrets/weak-crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"weak-crypto.d.ts","sourceRoot":"","sources":["../../../src/detect/secrets/weak-crypto.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAgY1D,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CA0FjB"}