@oculum/scanner 1.0.12 → 1.0.13

package/dist/model/cross-file-taint.js

@@ -0,0 +1,290 @@
+"use strict";
+/**
+ * Cross-File Taint Analysis — Detects taint flows that cross file boundaries.
+ *
+ * Scenario 1: Source in file A, sink in imported function (file B).
+ *   File A has req.params.id (tainted), calls getUser(id) imported from B.
+ *   B's getUser has param 'id' reaching a sql_query sink.
+ *
+ * Scenario 2: Imported function returns user data.
+ *   File A calls getUserInput() from B which returns req.body.
+ *   File A then passes the return value to a local sink.
+ *
+ * Constraint: One level of imports only. No transitive chasing (A->B->C).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeCrossFileTaint = analyzeCrossFileTaint;
+const sink_patterns_1 = require("./sink-patterns");
+// ============================================================================
+// Main Analysis
+// ============================================================================
+/**
+ * Analyze cross-file taint paths across the project.
+ *
+ * For each file with taint sources, check if tainted variables flow into
+ * calls to imported functions that reach dangerous sinks.
+ */
+function analyzeCrossFileTaint(files, graph, functionProfiles, fileTaintAnalyses) {
+    const paths = [];
+    const fileContentMap = new Map(files.map(f => [f.path, f.content]));
+    for (const [filePath, analysis] of fileTaintAnalyses) {
+        if (analysis.sources.length === 0)
+            continue;
+        const node = graph.nodes.get(filePath);
+        if (!node)
+            continue;
+        // Skip files involved in circular imports (unsafe to analyze)
+        if (graph.circularImports.has(filePath))
+            continue;
+        const content = fileContentMap.get(filePath);
+        if (!content)
+            continue;
+        // Scenario 1: Source in file A, sink in imported function (file B)
+        const scenario1Paths = analyzeScenario1(filePath, content, analysis, node, graph, functionProfiles);
+        paths.push(...scenario1Paths);
+        // Scenario 2: Imported function returns user data, used in local sink
+        const scenario2Paths = analyzeScenario2(filePath, content, analysis, node, graph, functionProfiles);
+        paths.push(...scenario2Paths);
+    }
+    return paths;
+}
+// ============================================================================
+// Scenario 1: Source in A, sink in imported function B
+// ============================================================================
+function analyzeScenario1(filePath, content, analysis, node, graph, functionProfiles) {
+    const paths = [];
+    const lines = content.split('\n');
+    // Build a map of imported function names → their profiles
+    const importedFunctions = new Map();
+    for (const imp of node.imports) {
+        if (!imp.resolvedPath)
+            continue;
+        const profiles = functionProfiles.get(imp.resolvedPath);
+        if (!profiles)
+            continue;
+        for (const name of imp.importedNames) {
+            if (name === 'default')
+                continue;
+            const profile = profiles.find(p => p.name === name);
+            if (profile && profile.reachesSinks.length > 0) {
+                importedFunctions.set(name, { profile, importPath: imp.resolvedPath });
+            }
+        }
+    }
+    if (importedFunctions.size === 0)
+        return paths;
+    // Get tainted variable names and their sources
+    const taintedVarNames = new Map();
+    for (const src of analysis.sources) {
+        taintedVarNames.set(src.variable, src);
+    }
+    for (const tv of analysis.taintedVariables) {
+        if (!tv.sanitised) {
+            taintedVarNames.set(tv.name, tv.source);
+        }
+    }
+    // Pre-compile call patterns for imported functions (avoid per-line RegExp construction)
+    const compiledCallPatterns = new Map();
+    for (const funcName of importedFunctions.keys()) {
+        compiledCallPatterns.set(funcName, new RegExp(`\\b${(0, sink_patterns_1.escapeRegex)(funcName)}\\s*\\(`));
+    }
+    // Pre-compile var patterns for tainted variables
+    const compiledVarPatterns = new Map();
+    for (const varName of taintedVarNames.keys()) {
+        compiledVarPatterns.set(varName, new RegExp(`\\b${(0, sink_patterns_1.escapeRegex)(varName)}\\b`));
+    }
+    // Scan for calls to imported functions with tainted arguments
+    const seen = new Set();
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNumber = i + 1;
+        const trimmed = line.trim();
+        // Skip comments
+        if (trimmed.startsWith('//') || trimmed.startsWith('*') || trimmed.startsWith('/*'))
+            continue;
+        for (const [funcName, { profile, importPath }] of importedFunctions) {
+            // Check if this line calls the imported function
+            if (!compiledCallPatterns.get(funcName).test(line))
+                continue;
+            // Extract call arguments
+            const args = extractCallArguments(line, funcName);
+            // Check if any tainted variable is passed as an argument
+            for (const arg of args) {
+                const argTrimmed = arg.trim();
+                // Check if this argument is a tainted variable
+                for (const [varName, source] of taintedVarNames) {
+                    if (!compiledVarPatterns.get(varName).test(argTrimmed))
+                        continue;
+                    // Check if the corresponding param is dangerous
+                    const argIndex = args.indexOf(arg);
+                    const paramName = profile.paramNames[argIndex];
+                    const isDangerousParam = paramName
+                        ? profile.dangerousParams.includes(paramName)
+                        : profile.paramNames.length === 0 && profile.dangerousParams.length > 0;
+                    if (!isDangerousParam && profile.dangerousParams.length > 0)
+                        continue;
+                    // Build cross-file taint path
+                    const key = `${filePath}:${source.variable}:${importPath}:${funcName}:${lineNumber}`;
+                    if (seen.has(key))
+                        continue;
+                    seen.add(key);
+                    const sinkType = profile.reachesSinks[0];
+                    paths.push({
+                        sourceFile: filePath,
+                        source,
+                        sinkFile: profile.filePath,
+                        sink: {
+                            line: profile.line,
+                            expression: `${funcName}(...)`,
+                            sinkType,
+                        },
+                        importLink: {
+                            fromFile: filePath,
+                            toFile: importPath,
+                            symbolName: funcName,
+                            paramName,
+                            callLine: lineNumber,
+                        },
+                        sanitised: profile.hasSanitisation,
+                        confidence: 'medium', // cross-file paths are medium confidence by default
+                    });
+                }
+            }
+        }
+    }
+    return paths;
+}
+// ============================================================================
+// Scenario 2: Imported function returns user data, used in local sink
+// ============================================================================
+function analyzeScenario2(filePath, content, _analysis, node, _graph, functionProfiles) {
+    const paths = [];
+    const lines = content.split('\n');
+    // Find imported functions that return user data
+    const userDataFunctions = new Map();
+    for (const imp of node.imports) {
+        if (!imp.resolvedPath)
+            continue;
+        const profiles = functionProfiles.get(imp.resolvedPath);
+        if (!profiles)
+            continue;
+        for (const name of imp.importedNames) {
+            if (name === 'default')
+                continue;
+            const profile = profiles.find(p => p.name === name);
+            if (profile && profile.returnsUserData) {
+                userDataFunctions.set(name, { profile, importPath: imp.resolvedPath });
+            }
+        }
+    }
+    if (userDataFunctions.size === 0)
+        return paths;
+    // Pre-compile assignment patterns for user-data functions
+    const compiledAssignPatterns = new Map();
+    for (const funcName of userDataFunctions.keys()) {
+        compiledAssignPatterns.set(funcName, new RegExp(`(?:const|let|var)\\s+(\\w+)\\s*=\\s*(?:await\\s+)?${(0, sink_patterns_1.escapeRegex)(funcName)}\\s*\\(`));
+    }
+    // Track variables assigned from user-data-returning functions
+    const taintedByImport = new Map();
+    // Cache compiled var patterns for tainted-by-import variables (grows as new vars are discovered)
+    const compiledImportVarPatterns = new Map();
+    const seen = new Set();
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNumber = i + 1;
+        const trimmed = line.trim();
+        if (trimmed.startsWith('//') || trimmed.startsWith('*'))
+            continue;
+        // Check for assignments from user-data functions
+        for (const [funcName, { profile, importPath }] of userDataFunctions) {
+            const assignMatch = line.match(compiledAssignPatterns.get(funcName));
+            if (assignMatch) {
+                const varName = assignMatch[1];
+                taintedByImport.set(varName, { source: profile, callLine: lineNumber, importPath, funcName });
+                // Pre-compile pattern for newly discovered tainted variable
+                if (!compiledImportVarPatterns.has(varName)) {
+                    compiledImportVarPatterns.set(varName, new RegExp(`\\b${(0, sink_patterns_1.escapeRegex)(varName)}\\b`));
+                }
+            }
+        }
+        // Check if any tainted-by-import variable reaches a local sink
+        for (const sp of sink_patterns_1.SINK_PATTERNS) {
+            if (!sp.pattern.test(line))
+                continue;
+            for (const [varName, info] of taintedByImport) {
+                if (!compiledImportVarPatterns.get(varName).test(line))
+                    continue;
+                const key = `${filePath}:${varName}:${info.importPath}:${info.funcName}:${lineNumber}`;
+                if (seen.has(key))
+                    continue;
+                seen.add(key);
+                paths.push({
+                    sourceFile: info.importPath,
+                    source: {
+                        line: info.source.line,
+                        expression: `${info.funcName}() return value`,
+                        variable: varName,
+                        sourceType: info.source.returnSourceType ?? 'http_body',
+                        confidence: 'medium',
+                    },
+                    sinkFile: filePath,
+                    sink: {
+                        line: lineNumber,
+                        expression: trimmed,
+                        sinkType: sp.sinkType,
+                    },
+                    importLink: {
+                        fromFile: filePath,
+                        toFile: info.importPath,
+                        symbolName: info.funcName,
+                        callLine: info.callLine,
+                    },
+                    sanitised: false,
+                    confidence: 'low', // scenario 2 is lower confidence
+                });
+            }
+        }
+    }
+    return paths;
+}
+// ============================================================================
+// Helpers
+// ============================================================================
+function extractCallArguments(line, funcName) {
+    const startIdx = line.indexOf(funcName);
+    if (startIdx === -1)
+        return [];
+    const parenStart = line.indexOf('(', startIdx + funcName.length);
+    if (parenStart === -1)
+        return [];
+    let depth = 0;
+    let current = '';
+    const args = [];
+    for (let i = parenStart; i < line.length; i++) {
+        const ch = line[i];
+        if (ch === '(') {
+            if (depth > 0)
+                current += ch;
+            depth++;
+        }
+        else if (ch === ')') {
+            depth--;
+            if (depth === 0) {
+                if (current.trim())
+                    args.push(current.trim());
+                break;
+            }
+            current += ch;
+        }
+        else if (ch === ',' && depth === 1) {
+            if (current.trim())
+                args.push(current.trim());
+            current = '';
+        }
+        else if (depth > 0) {
+            current += ch;
+        }
+    }
+    return args;
+}
+//# sourceMappingURL=cross-file-taint.js.map

package/dist/model/cross-file-taint.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cross-file-taint.js","sourceRoot":"","sources":["../../src/model/cross-file-taint.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;AA2CH,sDA6CC;AA7ED,mDAA4D;AAsB5D,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E;;;;;GAKG;AACH,SAAgB,qBAAqB,CACnC,KAAiB,EACjB,KAAkB,EAClB,gBAAoC,EACpC,iBAAiD;IAEjD,MAAM,KAAK,GAAyB,EAAE,CAAA;IACtC,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;IAEnE,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,iBAAiB,EAAE,CAAC;QACrD,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,SAAQ;QAE3C,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QACtC,IAAI,CAAC,IAAI;YAAE,SAAQ;QAEnB,8DAA8D;QAC9D,IAAI,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,SAAQ;QAEjD,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC5C,IAAI,CAAC,OAAO;YAAE,SAAQ;QAEtB,mEAAmE;QACnE,MAAM,cAAc,GAAG,gBAAgB,CACrC,QAAQ,EACR,OAAO,EACP,QAAQ,EACR,IAAI,EACJ,KAAK,EACL,gBAAgB,CACjB,CAAA;QACD,KAAK,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAA;QAE7B,sEAAsE;QACtE,MAAM,cAAc,GAAG,gBAAgB,CACrC,QAAQ,EACR,OAAO,EACP,QAAQ,EACR,IAAI,EACJ,KAAK,EACL,gBAAgB,CACjB,CAAA;QACD,KAAK,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAA;IAC/B,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,+EAA+E;AAC/E,uDAAuD;AACvD,+EAA+E;AAE/E,SAAS,gBAAgB,CACvB,QAAgB,EAChB,OAAe,EACf,QAA2B,EAC3B,IAAkD,EAClD,KAAkB,EAClB,gBAAoC;IAEpC,MAAM,KAAK,GAAyB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,0DAA0D;IAC1D,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAoE,CAAA;IAErG,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QAC/B,IAAI,CAAC,GAAG,CAAC,YAAY;YAAE,SAAQ;QAC/B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACvD,IAAI,CAAC,QAAQ;YAAE,SAAQ;QAEvB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;YACrC,IAAI,IAAI,KAAK,SAAS;gBAAE,SAAQ;YAChC,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAA;YACnD,IAAI,OAAO,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/C,iBAAiB,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC,CAAA;YACxE,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,iBAAiB,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IAE9C,+CAA+C;IAC/C,MAAM,eAAe,GAAG,IAAI,GAAG,EAA2B,CAAA;IAC1D,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACnC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;IACxC,CAAC;IACD,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,gBAAgB,EAAE,CAAC;QAC3C,IAAI,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC;YAClB,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,CAAA;QACzC,CAAC;IACH,CAAC;IAED,wFAAwF;IACxF,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAkB,CAAA;IACtD,KAAK,MAAM,QAAQ,IAAI,iBAAiB,CAAC,IAAI,EAAE,EAAE,CAAC;QAChD,oBAAoB,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,MAAM,CAAC,MAAM,IAAA,2BAAW,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAA;IACtF,CAAC;IAED,iDAAiD;IACjD,MAAM,mBAAmB,GAAG,IAAI,GAAG,EAAkB,CAAA;IACrD,KAAK,MAAM,OAAO,IAAI,eAAe,CAAC,IAAI,EAAE,EAAE,CAAC;QAC7C,mBAAmB,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,MAAM,CAAC,MAAM,IAAA,2BAAW,EAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAA;IAC/E,CAAC;IAED,8DAA8D;IAC9D,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;IAE9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAA;QACxB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;QAE3B,gBAAgB;QAChB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,SAAQ;QAE7F,KAAK,MAAM,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,IAAI,iBAAiB,EAAE,CAAC;YACpE,iDAAiD;YACjD,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAE7D,yBAAyB;YACzB,MAAM,IAAI,GAAG,oBAAoB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;YAEjD,yDAAyD;YACzD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,EAAE,CAAA;gBAE7B,+CAA+C;gBAC/C,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;oBAChD,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC,IAAI,CAAC,UAAU,CAAC;wBAAE,SAAQ;oBAEjE,gDAAgD;oBAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;oBAClC,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAA;oBAC9C,MAAM,gBAAgB,GAAG,SAAS;wBAChC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,SAAS,CAAC;wBAC7C,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,CAAA;oBAEzE,IAAI,CAAC,gBAAgB,IAAI,OAAO,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC;wBAAE,SAAQ;oBAErE,8BAA8B;oBAC9B,MAAM,GAAG,GAAG,GAAG,QAAQ,IAAI,MAAM,CAAC,QAAQ,IAAI,UAAU,IAAI,QAAQ,IAAI,UAAU,EAAE,CAAA;oBACpF,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;wBAAE,SAAQ;oBAC3B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;oBAEb,MAAM,QAAQ,GAAa,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;oBAClD,KAAK,CAAC,IAAI,CAAC;wBACT,UAAU,EAAE,QAAQ;wBACpB,MAAM;wBACN,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,IAAI,EAAE;4BACJ,IAAI,EAAE,OAAO,CAAC,IAAI;4BAClB,UAAU,EAAE,GAAG,QAAQ,OAAO;4BAC9B,QAAQ;yBACT;wBACD,UAAU,EAAE;4BACV,QAAQ,EAAE,QAAQ;4BAClB,MAAM,EAAE,UAAU;4BAClB,UAAU,EAAE,QAAQ;4BACpB,SAAS;4BACT,QAAQ,EAAE,UAAU;yBACrB;wBACD,SAAS,EAAE,OAAO,CAAC,eAAe;wBAClC,UAAU,EAAE,QAAQ,EAAG,oDAAoD;qBAC5E,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,+EAA+E;AAC/E,sEAAsE;AACtE,+EAA+E;AAE/E,SAAS,gBAAgB,CACvB,QAAgB,EAChB,OAAe,EACf,SAA4B,EAC5B,IAAkD,EAClD,MAAmB,EACnB,gBAAoC;IAEpC,MAAM,KAAK,GAAyB,EAAE,CAAA;IACtC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAEjC,gDAAgD;IAChD,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAoE,CAAA;IAErG,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QAC/B,IAAI,CAAC,GAAG,CAAC,YAAY;YAAE,SAAQ;QAC/B,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QACvD,IAAI,CAAC,QAAQ;YAAE,SAAQ;QAEvB,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,aAAa,EAAE,CAAC;YACrC,IAAI,IAAI,KAAK,SAAS;gBAAE,SAAQ;YAChC,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAA;YACnD,IAAI,OAAO,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;gBACvC,iBAAiB,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,CAAC,YAAY,EAAE,CAAC,CAAA;YACxE,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,iBAAiB,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IAE9C,0DAA0D;IAC1D,MAAM,sBAAsB,GAAG,IAAI,GAAG,EAAkB,CAAA;IACxD,KAAK,MAAM,QAAQ,IAAI,iBAAiB,CAAC,IAAI,EAAE,EAAE,CAAC;QAChD,sBAAsB,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,MAAM,CAAC,qDAAqD,IAAA,2BAAW,EAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAA;IACvI,CAAC;IAED,8DAA8D;IAC9D,MAAM,eAAe,GAAG,IAAI,GAAG,EAAuG,CAAA;IACtI,iGAAiG;IACjG,MAAM,yBAAyB,GAAG,IAAI,GAAG,EAAkB,CAAA;IAE3D,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;IAE9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAA;QACxB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;QAE3B,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAQ;QAEjE,iDAAiD;QACjD,KAAK,MAAM,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,IAAI,iBAAiB,EAAE,CAAC;YACpE,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,GAAG,CAAC,QAAQ,CAAE,CAAC,CAAA;YACrE,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAA;gBAC9B,eAAe,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC,CAAA;gBAC7F,4DAA4D;gBAC5D,IAAI,CAAC,yBAAyB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC5C,yBAAyB,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,MAAM,CAAC,MAAM,IAAA,2BAAW,EAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAA;gBACrF,CAAC;YACH,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,KAAK,MAAM,EAAE,IAAI,6BAAa,EAAE,CAAC;YAC/B,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAEpC,KAAK,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,eAAe,EAAE,CAAC;gBAC9C,IAAI,CAAC,yBAAyB,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAQ;gBAEjE,MAAM,GAAG,GAAG,GAAG,QAAQ,IAAI,OAAO,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,QAAQ,IAAI,UAAU,EAAE,CAAA;gBACtF,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAQ;gBAC3B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;gBAEb,KAAK,CAAC,IAAI,CAAC;oBACT,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,MAAM,EAAE;wBACN,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;wBACtB,UAAU,EAAE,GAAG,IAAI,CAAC,QAAQ,iBAAiB;wBAC7C,QAAQ,EAAE,OAAO;wBACjB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB,IAAI,WAAW;wBACvD,UAAU,EAAE,QAAQ;qBACrB;oBACD,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE;wBACJ,IAAI,EAAE,UAAU;wBAChB,UAAU,EAAE,OAAO;wBACnB,QAAQ,EAAE,EAAE,CAAC,QAAQ;qBACtB;oBACD,UAAU,EAAE;wBACV,QAAQ,EAAE,QAAQ;wBAClB,MAAM,EAAE,IAAI,CAAC,UAAU;wBACvB,UAAU,EAAE,IAAI,CAAC,QAAQ;wBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;qBACxB;oBACD,SAAS,EAAE,KAAK;oBAChB,UAAU,EAAE,KAAK,EAAG,iCAAiC;iBACtD,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E,SAAS,oBAAoB,CAAC,IAAY,EAAE,QAAgB;IAC1D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IACvC,IAAI,QAAQ,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,CAAA;IAE9B,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAA;IAChE,IAAI,UAAU,KAAK,CAAC,CAAC;QAAE,OAAO,EAAE,CAAA;IAEhC,IAAI,KAAK,GAAG,CAAC,CAAA;IACb,IAAI,OAAO,GAAG,EAAE,CAAA;IAChB,MAAM,IAAI,GAAa,EAAE,CAAA;IAEzB,KAAK,IAAI,CAAC,GAAG,UAAU,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC9C,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAA;QAClB,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,IAAI,KAAK,GAAG,CAAC;gBAAE,OAAO,IAAI,EAAE,CAAA;YAC5B,KAAK,EAAE,CAAA;QACT,CAAC;aAAM,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACtB,KAAK,EAAE,CAAA;YACP,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;gBAChB,IAAI,OAAO,CAAC,IAAI,EAAE;oBAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;gBAC7C,MAAK;YACP,CAAC;YACD,OAAO,IAAI,EAAE,CAAA;QACf,CAAC;aAAM,IAAI,EAAE,KAAK,GAAG,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;YACrC,IAAI,OAAO,CAAC,IAAI,EAAE;gBAAE,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;YAC7C,OAAO,GAAG,EAAE,CAAA;QACd,CAAC;aAAM,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YACrB,OAAO,IAAI,EAAE,CAAA;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/model/framework-models/django.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Django Framework Security Model
+ *
+ * Django ORM queries are parameterised by default. Templates auto-escape.
+ * |safe filter, .extra(), .raw(), mark_safe() bypass protections.
+ */
+import type { FrameworkSecurityModel } from './types';
+export declare const djangoModel: FrameworkSecurityModel;
+//# sourceMappingURL=django.d.ts.map

package/dist/model/framework-models/django.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"django.d.ts","sourceRoot":"","sources":["../../../src/model/framework-models/django.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAA;AAarD,eAAO,MAAM,WAAW,EAAE,sBA6DzB,CAAA"}

package/dist/model/framework-models/django.js

@@ -0,0 +1,82 @@
+"use strict";
+/**
+ * Django Framework Security Model
+ *
+ * Django ORM queries are parameterised by default. Templates auto-escape.
+ * |safe filter, .extra(), .raw(), mark_safe() bypass protections.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.djangoModel = void 0;
+// Safe ORM patterns
+const ORM_FILTER_RE = /\.objects\.(filter|get|exclude|create|update|values|annotate|aggregate|count|exists)\s*\(/;
+const ORM_QUERYSET_RE = /\.(select_related|prefetch_related|order_by|distinct|first|last|earliest|latest)\s*\(/;
+// Unsafe patterns
+const SAFE_FILTER_RE = /\|\s*safe\b/;
+const EXTRA_RE = /\.extra\s*\(/;
+const RAW_RE = /\.raw\s*\(/;
+const CURSOR_EXECUTE_RE = /cursor\s*\(\s*\)\s*\.execute\s*\(/;
+const MARK_SAFE_RE = /mark_safe\s*\(/;
+exports.djangoModel = {
+    framework: 'django',
+    safePatterns: [
+        {
+            id: 'orm_django_parameterised',
+            suppressesCategory: ['sql_injection', 'dangerous_function'],
+            detect: (line, filePath, _fileContent) => {
+                if (!/\.py$/.test(filePath))
+                    return false;
+                return ORM_FILTER_RE.test(line) || ORM_QUERYSET_RE.test(line);
+            },
+            reason: 'Django ORM parameterises queries by default — SQL injection not applicable',
+        },
+        {
+            id: 'django_template_auto_escape',
+            suppressesCategory: ['xss'],
+            detect: (line, filePath, _fileContent) => {
+                // Django templates auto-escape by default
+                if (!/\.html$/.test(filePath))
+                    return false;
+                // Template variable interpolation
+                return /\{\{.*\}\}/.test(line) && !SAFE_FILTER_RE.test(line);
+            },
+            reason: 'Django templates auto-escape variables by default — XSS not applicable',
+        },
+    ],
+    unsafePatterns: [
+        {
+            id: 'django_safe_filter',
+            boostsCategory: ['xss'],
+            detect: (line, filePath, _fileContent) => {
+                if (!/\.html$/.test(filePath))
+                    return false;
+                return SAFE_FILTER_RE.test(line);
+            },
+            reason: 'Django |safe filter bypasses template auto-escaping — XSS risk',
+        },
+        {
+            id: 'django_extra_raw_sql',
+            boostsCategory: ['sql_injection'],
+            detect: (line, _filePath, _fileContent) => EXTRA_RE.test(line),
+            reason: 'Django .extra() accepts raw SQL — SQL injection risk',
+        },
+        {
+            id: 'django_raw_query',
+            boostsCategory: ['sql_injection'],
+            detect: (line, _filePath, _fileContent) => RAW_RE.test(line),
+            reason: 'Django .raw() executes raw SQL — SQL injection risk',
+        },
+        {
+            id: 'django_cursor_execute',
+            boostsCategory: ['sql_injection'],
+            detect: (line, _filePath, _fileContent) => CURSOR_EXECUTE_RE.test(line),
+            reason: 'Django connection.cursor().execute() is raw SQL — SQL injection risk',
+        },
+        {
+            id: 'django_mark_safe',
+            boostsCategory: ['xss'],
+            detect: (line, _filePath, _fileContent) => MARK_SAFE_RE.test(line),
+            reason: 'mark_safe() bypasses Django template auto-escaping — XSS risk',
+        },
+    ],
+};
+//# sourceMappingURL=django.js.map

package/dist/model/framework-models/django.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"django.js","sourceRoot":"","sources":["../../../src/model/framework-models/django.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAIH,oBAAoB;AACpB,MAAM,aAAa,GAAG,2FAA2F,CAAA;AACjH,MAAM,eAAe,GAAG,uFAAuF,CAAA;AAE/G,kBAAkB;AAClB,MAAM,cAAc,GAAG,aAAa,CAAA;AACpC,MAAM,QAAQ,GAAG,cAAc,CAAA;AAC/B,MAAM,MAAM,GAAG,YAAY,CAAA;AAC3B,MAAM,iBAAiB,GAAG,mCAAmC,CAAA;AAC7D,MAAM,YAAY,GAAG,gBAAgB,CAAA;AAExB,QAAA,WAAW,GAA2B;IACjD,SAAS,EAAE,QAAQ;IAEnB,YAAY,EAAE;QACZ;YACE,EAAE,EAAE,0BAA0B;YAC9B,kBAAkB,EAAE,CAAC,eAAe,EAAE,oBAAoB,CAAC;YAC3D,MAAM,EAAE,CAAC,IAAY,EAAE,QAAgB,EAAE,YAAoB,EAAE,EAAE;gBAC/D,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAAE,OAAO,KAAK,CAAA;gBACzC,OAAO,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC/D,CAAC;YACD,MAAM,EAAE,4EAA4E;SACrF;QACD;YACE,EAAE,EAAE,6BAA6B;YACjC,kBAAkB,EAAE,CAAC,KAAK,CAAC;YAC3B,MAAM,EAAE,CAAC,IAAY,EAAE,QAAgB,EAAE,YAAoB,EAAE,EAAE;gBAC/D,0CAA0C;gBAC1C,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAAE,OAAO,KAAK,CAAA;gBAC3C,kCAAkC;gBAClC,OAAO,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAC9D,CAAC;YACD,MAAM,EAAE,wEAAwE;SACjF;KACF;IAED,cAAc,EAAE;QACd;YACE,EAAE,EAAE,oBAAoB;YACxB,cAAc,EAAE,CAAC,KAAK,CAAC;YACvB,MAAM,EAAE,CAAC,IAAY,EAAE,QAAgB,EAAE,YAAoB,EAAE,EAAE;gBAC/D,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC;oBAAE,OAAO,KAAK,CAAA;gBAC3C,OAAO,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAClC,CAAC;YACD,MAAM,EAAE,gEAAgE;SACzE;QACD;YACE,EAAE,EAAE,sBAAsB;YAC1B,cAAc,EAAE,CAAC,eAAe,CAAC;YACjC,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC;YACtF,MAAM,EAAE,sDAAsD;SAC/D;QACD;YACE,EAAE,EAAE,kBAAkB;YACtB,cAAc,EAAE,CAAC,eAAe,CAAC;YACjC,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;YACpF,MAAM,EAAE,qDAAqD;SAC9D;QACD;YACE,EAAE,EAAE,uBAAuB;YAC3B,cAAc,EAAE,CAAC,eAAe,CAAC;YACjC,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;YAC/F,MAAM,EAAE,sEAAsE;SAC/E;QACD;YACE,EAAE,EAAE,kBAAkB;YACtB,cAAc,EAAE,CAAC,KAAK,CAAC;YACvB,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC;YAC1F,MAAM,EAAE,+DAA+D;SACxE;KACF;CACF,CAAA"}

package/dist/model/framework-models/express.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Express Framework Security Model
+ *
+ * res.json() auto-serialises (no XSS in JSON). Helmet adds security headers.
+ * Template literals in res.send() with user data are XSS risks.
+ */
+import type { FrameworkSecurityModel } from './types';
+export declare const expressModel: FrameworkSecurityModel;
+//# sourceMappingURL=express.d.ts.map

package/dist/model/framework-models/express.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../../../src/model/framework-models/express.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAA;AAQrD,eAAO,MAAM,YAAY,EAAE,sBAsC1B,CAAA"}

package/dist/model/framework-models/express.js

@@ -0,0 +1,52 @@
+"use strict";
+/**
+ * Express Framework Security Model
+ *
+ * res.json() auto-serialises (no XSS in JSON). Helmet adds security headers.
+ * Template literals in res.send() with user data are XSS risks.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.expressModel = void 0;
+const RES_JSON_RE = /res\.json\s*\(/;
+const RES_SEND_TEMPLATE_RE = /res\.send\s*\(\s*`/;
+const RES_SEND_CONCAT_RE = /res\.send\s*\([^)]*\+/;
+const RES_END_TEMPLATE_RE = /res\.end\s*\(\s*`/;
+const HELMET_RE = /helmet\s*\(/;
+exports.expressModel = {
+    framework: 'express',
+    safePatterns: [
+        {
+            id: 'express_res_json_safe',
+            suppressesCategory: ['xss'],
+            detect: (line, _filePath, _fileContent) => RES_JSON_RE.test(line),
+            reason: 'Express res.json() auto-serialises to JSON — no XSS risk in JSON responses',
+        },
+        {
+            id: 'express_helmet_headers',
+            suppressesCategory: ['insecure_config', 'cors_misconfiguration'],
+            detect: (line, _filePath, _fileContent) => HELMET_RE.test(line),
+            reason: 'Helmet middleware sets security headers by default',
+        },
+    ],
+    unsafePatterns: [
+        {
+            id: 'express_res_send_template',
+            boostsCategory: ['xss'],
+            detect: (line, _filePath, _fileContent) => RES_SEND_TEMPLATE_RE.test(line),
+            reason: 'Template literal in res.send() may include user data — XSS risk',
+        },
+        {
+            id: 'express_res_send_concat',
+            boostsCategory: ['xss'],
+            detect: (line, _filePath, _fileContent) => RES_SEND_CONCAT_RE.test(line),
+            reason: 'String concatenation in res.send() may include user data — XSS risk',
+        },
+        {
+            id: 'express_res_end_template',
+            boostsCategory: ['xss'],
+            detect: (line, _filePath, _fileContent) => RES_END_TEMPLATE_RE.test(line),
+            reason: 'Template literal in res.end() may include user data — XSS risk',
+        },
+    ],
+};
+//# sourceMappingURL=express.js.map

package/dist/model/framework-models/express.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.js","sourceRoot":"","sources":["../../../src/model/framework-models/express.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;;AAIH,MAAM,WAAW,GAAG,gBAAgB,CAAA;AACpC,MAAM,oBAAoB,GAAG,oBAAoB,CAAA;AACjD,MAAM,kBAAkB,GAAG,uBAAuB,CAAA;AAClD,MAAM,mBAAmB,GAAG,mBAAmB,CAAA;AAC/C,MAAM,SAAS,GAAG,aAAa,CAAA;AAElB,QAAA,YAAY,GAA2B;IAClD,SAAS,EAAE,SAAS;IAEpB,YAAY,EAAE;QACZ;YACE,EAAE,EAAE,uBAAuB;YAC3B,kBAAkB,EAAE,CAAC,KAAK,CAAC;YAC3B,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;YACzF,MAAM,EAAE,4EAA4E;SACrF;QACD;YACE,EAAE,EAAE,wBAAwB;YAC5B,kBAAkB,EAAE,CAAC,iBAAiB,EAAE,uBAAuB,CAAC;YAChE,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;YACvF,MAAM,EAAE,oDAAoD;SAC7D;KACF;IAED,cAAc,EAAE;QACd;YACE,EAAE,EAAE,2BAA2B;YAC/B,cAAc,EAAE,CAAC,KAAK,CAAC;YACvB,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC;YAClG,MAAM,EAAE,iEAAiE;SAC1E;QACD;YACE,EAAE,EAAE,yBAAyB;YAC7B,cAAc,EAAE,CAAC,KAAK,CAAC;YACvB,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC;YAChG,MAAM,EAAE,qEAAqE;SAC9E;QACD;YACE,EAAE,EAAE,0BAA0B;YAC9B,cAAc,EAAE,CAAC,KAAK,CAAC;YACvB,MAAM,EAAE,CAAC,IAAY,EAAE,SAAiB,EAAE,YAAoB,EAAE,EAAE,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC;YACjG,MAAM,EAAE,gEAAgE;SACzE;KACF;CACF,CAAA"}

package/dist/model/framework-models/index.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Framework Analysis Orchestrator
+ *
+ * Runs applicable framework security models against each file,
+ * returning per-file framework analysis results (safe/unsafe line annotations).
+ */
+import type { ScanFile } from '../../shared/types';
+import type { ProjectContext } from '../project-context';
+import type { FileFrameworkAnalysis } from './types';
+/**
+ * Analyze framework patterns across all files.
+ *
+ * For each file, runs all applicable framework models against each line.
+ * Returns a Map of file path → FileFrameworkAnalysis.
+ *
+ * Only files with at least one match are included in the result.
+ */
+export declare function analyzeFrameworkPatterns(files: ScanFile[], projectContext: ProjectContext): Map<string, FileFrameworkAnalysis>;
+export type { FrameworkSecurityModel, FrameworkSafePattern, FrameworkUnsafePattern, FileFrameworkAnalysis } from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/model/framework-models/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/model/framework-models/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAA;AAClD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAA;AACxD,OAAO,KAAK,EAA0B,qBAAqB,EAAgD,MAAM,SAAS,CAAA;AA0C1H;;;;;;;GAOG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,QAAQ,EAAE,EACjB,cAAc,EAAE,cAAc,GAC7B,GAAG,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAkDpC;AAGD,YAAY,EAAE,sBAAsB,EAAE,oBAAoB,EAAE,sBAAsB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAA"}

package/dist/model/framework-models/index.js

@@ -0,0 +1,102 @@
+"use strict";
+/**
+ * Framework Analysis Orchestrator
+ *
+ * Runs applicable framework security models against each file,
+ * returning per-file framework analysis results (safe/unsafe line annotations).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeFrameworkPatterns = analyzeFrameworkPatterns;
+const react_1 = require("./react");
+const nextjs_1 = require("./nextjs");
+const express_1 = require("./express");
+const django_1 = require("./django");
+const sequelize_1 = require("./sequelize");
+const prisma_1 = require("./prisma");
+/**
+ * Select applicable framework models based on project context.
+ */
+function selectModels(projectContext) {
+    const models = [];
+    if (projectContext.frameworks.frontend === 'react') {
+        models.push(react_1.reactModel);
+    }
+    if (projectContext.frameworks.primary === 'nextjs') {
+        models.push(nextjs_1.nextjsModel);
+        // Next.js uses React — ensure React model is included
+        if (!models.some(m => m.framework === 'react')) {
+            models.push(react_1.reactModel);
+        }
+    }
+    if (projectContext.frameworks.primary === 'express') {
+        models.push(express_1.expressModel);
+    }
+    if (projectContext.frameworks.primary === 'django') {
+        models.push(django_1.djangoModel);
+    }
+    // ORM-specific models
+    if (projectContext.dataAccess.orm === 'sequelize') {
+        models.push(sequelize_1.sequelizeModel);
+    }
+    if (projectContext.dataAccess.orm === 'prisma') {
+        models.push(prisma_1.prismaModel);
+    }
+    return models;
+}
+/**
+ * Analyze framework patterns across all files.
+ *
+ * For each file, runs all applicable framework models against each line.
+ * Returns a Map of file path → FileFrameworkAnalysis.
+ *
+ * Only files with at least one match are included in the result.
+ */
+function analyzeFrameworkPatterns(files, projectContext) {
+    const models = selectModels(projectContext);
+    if (models.length === 0)
+        return new Map();
+    const results = new Map();
+    for (const file of files) {
+        const safeLines = new Map();
+        const unsafeLines = new Map();
+        const lines = file.content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const lineContent = lines[i];
+            const lineNumber = i + 1;
+            for (const model of models) {
+                for (const safe of model.safePatterns) {
+                    if (safe.detect(lineContent, file.path, file.content)) {
+                        const existing = safeLines.get(lineNumber);
+                        if (existing) {
+                            // Avoid duplicate IDs on the same line
+                            if (!existing.some(p => p.id === safe.id)) {
+                                existing.push(safe);
+                            }
+                        }
+                        else {
+                            safeLines.set(lineNumber, [safe]);
+                        }
+                    }
+                }
+                for (const unsafe of model.unsafePatterns) {
+                    if (unsafe.detect(lineContent, file.path, file.content)) {
+                        const existing = unsafeLines.get(lineNumber);
+                        if (existing) {
+                            if (!existing.some(p => p.id === unsafe.id)) {
+                                existing.push(unsafe);
+                            }
+                        }
+                        else {
+                            unsafeLines.set(lineNumber, [unsafe]);
+                        }
+                    }
+                }
+            }
+        }
+        if (safeLines.size > 0 || unsafeLines.size > 0) {
+            results.set(file.path, { safeLines, unsafeLines });
+        }
+    }
+    return results;
+}
+//# sourceMappingURL=index.js.map

package/dist/model/framework-models/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/model/framework-models/index.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAsDH,4DAqDC;AAtGD,mCAAoC;AACpC,qCAAsC;AACtC,uCAAwC;AACxC,qCAAsC;AACtC,2CAA4C;AAC5C,qCAAsC;AAEtC;;GAEG;AACH,SAAS,YAAY,CAAC,cAA8B;IAClD,MAAM,MAAM,GAA6B,EAAE,CAAA;IAE3C,IAAI,cAAc,CAAC,UAAU,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACnD,MAAM,CAAC,IAAI,CAAC,kBAAU,CAAC,CAAA;IACzB,CAAC;IACD,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACnD,MAAM,CAAC,IAAI,CAAC,oBAAW,CAAC,CAAA;QACxB,sDAAsD;QACtD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,OAAO,CAAC,EAAE,CAAC;YAC/C,MAAM,CAAC,IAAI,CAAC,kBAAU,CAAC,CAAA;QACzB,CAAC;IACH,CAAC;IACD,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,sBAAY,CAAC,CAAA;IAC3B,CAAC;IACD,IAAI,cAAc,CAAC,UAAU,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACnD,MAAM,CAAC,IAAI,CAAC,oBAAW,CAAC,CAAA;IAC1B,CAAC;IAED,sBAAsB;IACtB,IAAI,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QAClD,MAAM,CAAC,IAAI,CAAC,0BAAc,CAAC,CAAA;IAC7B,CAAC;IACD,IAAI,cAAc,CAAC,UAAU,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC/C,MAAM,CAAC,IAAI,CAAC,oBAAW,CAAC,CAAA;IAC1B,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,wBAAwB,CACtC,KAAiB,EACjB,cAA8B;IAE9B,MAAM,MAAM,GAAG,YAAY,CAAC,cAAc,CAAC,CAAA;IAC3C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,GAAG,EAAE,CAAA;IAEzC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAiC,CAAA;IAExD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,IAAI,GAAG,EAAkC,CAAA;QAC3D,MAAM,WAAW,GAAG,IAAI,GAAG,EAAoC,CAAA;QAC/D,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;QAEtC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YAC5B,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAA;YAExB,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;oBACtC,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBACtD,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;wBAC1C,IAAI,QAAQ,EAAE,CAAC;4BACb,uCAAuC;4BACvC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;gCAC1C,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;4BACrB,CAAC;wBACH,CAAC;6BAAM,CAAC;4BACN,SAAS,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,IAAI,CAAC,CAAC,CAAA;wBACnC,CAAC;oBACH,CAAC;gBACH,CAAC;gBACD,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,cAAc,EAAE,CAAC;oBAC1C,IAAI,MAAM,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBACxD,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,UAAU,CAAC,CAAA;wBAC5C,IAAI,QAAQ,EAAE,CAAC;4BACb,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC;gCAC5C,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;4BACvB,CAAC;wBACH,CAAC;6BAAM,CAAC;4BACN,WAAW,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;wBACvC,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,SAAS,CAAC,IAAI,GAAG,CAAC,IAAI,WAAW,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC/C,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAA;QACpD,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAA;AAChB,CAAC"}

package/dist/model/framework-models/nextjs.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Next.js Framework Security Model
+ *
+ * App Router Server Components cannot access browser APIs (no DOM XSS).
+ * searchParams/params are user-controlled. Server Actions receive FormData.
+ */
+import type { FrameworkSecurityModel } from './types';
+export declare const nextjsModel: FrameworkSecurityModel;
+//# sourceMappingURL=nextjs.d.ts.map

package/dist/model/framework-models/nextjs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nextjs.d.ts","sourceRoot":"","sources":["../../../src/model/framework-models/nextjs.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,SAAS,CAAA;AAYrD,eAAO,MAAM,WAAW,EAAE,sBAiDzB,CAAA"}