@oculum/scanner 1.0.12 → 1.0.13

package/src/__tests__/benchmark/fixtures/layer2/security-headers.ts

@@ -0,0 +1,197 @@
+/**
+ * Security Headers Test Fixtures
+ * Tests for detecting missing HTTP security headers
+ */
+
+import type { TestGroup } from '../../types'
+
+export const securityHeadersTests: TestGroup = {
+  name: 'Security Headers',
+  tier: 'B',
+  layer: 2,
+  description: 'Detection of missing HTTP security headers (CSP, HSTS, helmet, etc.)',
+
+  truePositives: [
+    {
+      name: 'Security Headers - True Positives',
+      expectFindings: true,
+      expectedCategories: ['missing_security_headers'],
+      description: 'Missing security header patterns that MUST be detected',
+      file: {
+        path: 'src/server/app.ts',
+        content: `
+import express from 'express'
+
+// Express app without helmet middleware
+const app = express()
+
+app.use(express.json())
+
+app.get('/api/data', (req, res) => {
+  res.json({ status: 'ok' })
+})
+
+app.listen(3000, () => {
+  console.log('Server running')
+})
+`,
+        language: 'typescript',
+        size: 250,
+      },
+    },
+    {
+      name: 'Security Headers - Helmet CSP Disabled',
+      expectFindings: true,
+      expectedCategories: ['missing_security_headers'],
+      description: 'Helmet with CSP explicitly disabled',
+      file: {
+        path: 'src/server/secure-app.ts',
+        content: `
+import express from 'express'
+import helmet from 'helmet'
+
+const app = express()
+
+// CSP disabled - this weakens security
+app.use(helmet({
+  contentSecurityPolicy: false,
+}))
+
+app.get('/api/data', (req, res) => {
+  res.json({ status: 'ok' })
+})
+`,
+        language: 'typescript',
+        size: 250,
+      },
+    },
+    {
+      name: 'Security Headers - Next.js Config Missing Headers',
+      expectFindings: true,
+      expectedCategories: ['missing_security_headers'],
+      description: 'Next.js config without headers export',
+      file: {
+        path: 'next.config.mjs',
+        content: `
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  reactStrictMode: true,
+  images: {
+    remotePatterns: [
+      { hostname: 'example.com' },
+    ],
+  },
+}
+
+export default nextConfig
+`,
+        language: 'javascript',
+        size: 200,
+      },
+    },
+  ],
+
+  falseNegatives: [
+    {
+      name: 'Security Headers - Express with Helmet (safe)',
+      expectFindings: false,
+      description: 'Express app WITH helmet properly configured should not be flagged',
+      file: {
+        path: 'src/server/safe-app.ts',
+        content: `
+import express from 'express'
+import helmet from 'helmet'
+
+const app = express()
+
+app.use(helmet())
+app.use(express.json())
+
+app.get('/api/data', (req, res) => {
+  res.json({ status: 'ok' })
+})
+`,
+        language: 'typescript',
+        size: 200,
+      },
+    },
+    {
+      name: 'Security Headers - Next.js Config with Headers',
+      expectFindings: false,
+      description: 'Next.js config WITH headers export should not be flagged',
+      file: {
+        path: 'next.config.mjs',
+        content: `
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  reactStrictMode: true,
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: [
+          { key: 'X-Frame-Options', value: 'DENY' },
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+          { key: 'Strict-Transport-Security', value: 'max-age=31536000; includeSubDomains' },
+        ],
+      },
+    ]
+  },
+}
+
+export default nextConfig
+`,
+        language: 'javascript',
+        size: 400,
+      },
+    },
+    {
+      name: 'Security Headers - Client Component (not server)',
+      expectFindings: false,
+      description: 'Client-side React component should not be checked for server headers',
+      file: {
+        path: 'src/components/Button.tsx',
+        content: `
+'use client'
+
+import { useState } from 'react'
+
+export function Button({ children, onClick }) {
+  const [loading, setLoading] = useState(false)
+
+  return (
+    <button onClick={onClick} disabled={loading}>
+      {children}
+    </button>
+  )
+}
+`,
+        language: 'typescript',
+        size: 200,
+      },
+    },
+    {
+      name: 'Security Headers - Fastify Helmet (safe)',
+      expectFindings: false,
+      description: 'Express app with @fastify/helmet should not be flagged',
+      file: {
+        path: 'src/server/fastify-app.ts',
+        content: `
+import express from 'express'
+import helmet from '@fastify/helmet'
+
+const app = express()
+
+app.use(helmet())
+app.use(express.json())
+
+app.get('/api/data', (req, res) => {
+  res.json({ ok: true })
+})
+`,
+        language: 'typescript',
+        size: 200,
+      },
+    },
+  ],
+}

package/src/__tests__/benchmark/fixtures/layer2/ssrf-detection.ts

@@ -0,0 +1,210 @@
+/**
+ * SSRF Detection Test Fixtures
+ * Tests for detecting Server-Side Request Forgery patterns
+ */
+
+import type { TestGroup } from '../../types'
+
+export const ssrfDetectionTests: TestGroup = {
+  name: 'SSRF Detection',
+  tier: 'A',
+  layer: 2,
+  description: 'Detection of SSRF patterns where user input flows to server-side HTTP requests',
+
+  truePositives: [
+    {
+      name: 'SSRF - True Positives',
+      expectFindings: true,
+      expectedCategories: ['ssrf'],
+      description: 'SSRF patterns that MUST be detected',
+      file: {
+        path: 'src/api/proxy.ts',
+        content: `
+import express from 'express'
+import axios from 'axios'
+
+const app = express()
+
+// Direct taint: fetch(req.body.url)
+app.post('/api/fetch-url', async (req, res) => {
+  const response = await fetch(req.body.url)
+  const data = await response.json()
+  res.json(data)
+})
+
+// Direct taint: axios.get(req.query.endpoint)
+app.get('/api/proxy', async (req, res) => {
+  const response = await axios.get(req.query.endpoint)
+  res.json(response.data)
+})
+
+// Open redirect: res.redirect(req.query.next)
+app.get('/auth/callback', (req, res) => {
+  res.redirect(req.query.next)
+})
+`,
+        language: 'typescript',
+        size: 500,
+      },
+    },
+    {
+      name: 'SSRF - Variable Mediated',
+      expectFindings: true,
+      expectedCategories: ['ssrf'],
+      description: 'Variable-mediated SSRF that should be detected',
+      file: {
+        path: 'src/api/webhook.ts',
+        content: `
+import express from 'express'
+
+const app = express()
+
+// Variable-mediated taint
+app.post('/api/webhook/test', async (req, res) => {
+  const webhookUrl = req.body.url
+  const payload = { event: 'test' }
+
+  // Tainted variable used in fetch
+  const response = await fetch(webhookUrl, {
+    method: 'POST',
+    body: JSON.stringify(payload),
+  })
+
+  res.json({ status: response.status })
+})
+`,
+        language: 'typescript',
+        size: 400,
+      },
+    },
+    {
+      name: 'SSRF - Template Literal',
+      expectFindings: true,
+      expectedCategories: ['ssrf'],
+      description: 'Template literal with user input in HTTP request URL',
+      file: {
+        path: 'src/api/service.ts',
+        content: `
+import express from 'express'
+
+const app = express()
+
+// Template literal with user input
+app.get('/api/resource', async (req, res) => {
+  const response = await fetch(\`\${req.query.baseUrl}/api/resource\`)
+  const data = await response.json()
+  res.json(data)
+})
+`,
+        language: 'typescript',
+        size: 250,
+      },
+    },
+  ],
+
+  falseNegatives: [
+    {
+      name: 'SSRF - Env Var URL (safe)',
+      expectFindings: false,
+      description: 'Fetching from environment variable URL should not be flagged',
+      file: {
+        path: 'src/api/internal.ts',
+        content: `
+import express from 'express'
+
+const API_URL = process.env.API_URL
+
+const app = express()
+
+app.get('/api/data', async (req, res) => {
+  // URL from env var, not user input
+  const response = await fetch(API_URL + '/data')
+  res.json(await response.json())
+})
+`,
+        language: 'typescript',
+        size: 200,
+      },
+    },
+    {
+      name: 'SSRF - Client-Side Fetch (safe)',
+      expectFindings: false,
+      description: 'Client-side fetch with user input is not SSRF (browser-only)',
+      file: {
+        path: 'src/components/SearchForm.tsx',
+        content: `
+'use client'
+
+import { useState } from 'react'
+
+export function SearchForm() {
+  const [query, setQuery] = useState('')
+
+  const handleSearch = async () => {
+    // Client-side fetch - not SSRF
+    const response = await fetch(\`/api/search?q=\${query}\`)
+    const data = await response.json()
+    console.log(data)
+  }
+
+  return <input value={query} onChange={(e) => setQuery(e.target.value)} />
+}
+`,
+        language: 'typescript',
+        size: 300,
+      },
+    },
+    {
+      name: 'SSRF - Hardcoded URL (safe)',
+      expectFindings: false,
+      description: 'Fetching from hardcoded URL is safe',
+      file: {
+        path: 'src/services/api.ts',
+        content: `
+const HARDCODED_URL = 'https://api.example.com/v1'
+
+export async function getData() {
+  const response = await fetch(HARDCODED_URL + '/data')
+  return response.json()
+}
+
+export async function getConfig() {
+  return fetch('https://config.example.com/settings').then(r => r.json())
+}
+`,
+        language: 'typescript',
+        size: 200,
+      },
+    },
+    {
+      name: 'SSRF - Allowlist Validation (safe)',
+      expectFindings: false,
+      description: 'Fetch with allowlist validation should not be flagged',
+      file: {
+        path: 'src/api/validated-proxy.ts',
+        content: `
+import express from 'express'
+
+const allowedDomains = ['api.example.com', 'cdn.example.com']
+
+const app = express()
+
+app.post('/api/fetch', async (req, res) => {
+  const url = req.body.url
+  const parsed = new URL(url)
+
+  // Allowlist validation
+  if (!allowedDomains.includes(parsed.hostname)) {
+    return res.status(403).json({ error: 'Domain not allowed' })
+  }
+
+  const response = await fetch(url)
+  res.json(await response.json())
+})
+`,
+        language: 'typescript',
+        size: 350,
+      },
+    },
+  ],
+}

package/src/__tests__/benchmark/fixtures/layer2/xxe-detection.ts

@@ -0,0 +1,195 @@
+/**
+ * XXE Detection Test Fixtures
+ * Tests for detecting XML External Entity injection vulnerabilities
+ */
+
+import type { TestGroup } from '../../types'
+
+export const xxeDetectionTests: TestGroup = {
+  name: 'XXE Detection',
+  tier: 'A',
+  layer: 2,
+  description: 'Detection of XML parsers used without external entity protection',
+
+  truePositives: [
+    {
+      name: 'XXE - Python ElementTree (unprotected)',
+      expectFindings: true,
+      expectedCategories: ['xxe'],
+      description: 'Python xml.etree without defusedxml must be detected',
+      file: {
+        path: 'src/parser.py',
+        content: `
+import xml.etree.ElementTree as ET
+
+def parse_user_xml(xml_data):
+    # Vulnerable: no defusedxml imported
+    tree = ET.parse(xml_data)
+    root = tree.getroot()
+    return root.find('name').text
+`,
+        language: 'python',
+        size: 200,
+      },
+    },
+    {
+      name: 'XXE - Java DocumentBuilderFactory (unprotected)',
+      expectFindings: true,
+      expectedCategories: ['xxe'],
+      description: 'Java DocumentBuilderFactory without setFeature must be detected',
+      file: {
+        path: 'src/XmlService.java',
+        content: `
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.DocumentBuilder;
+import org.w3c.dom.Document;
+
+public class XmlService {
+    public Document parseXml(String xml) throws Exception {
+        // Vulnerable: no feature disabling
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        return builder.parse(new InputSource(new StringReader(xml)));
+    }
+}
+`,
+        language: 'java',
+        size: 300,
+      },
+    },
+    {
+      name: 'XXE - Node.js xml2js (unprotected)',
+      expectFindings: true,
+      expectedCategories: ['xxe'],
+      description: 'Node.js xml2js without safe options must be detected',
+      file: {
+        path: 'src/xml-handler.ts',
+        content: `
+import xml2js from 'xml2js'
+
+export function parseXmlPayload(xmlData: string) {
+  // xml2js without explicit safe configuration
+  xml2js.parseString(xmlData, (err, result) => {
+    if (err) throw err
+    return result
+  })
+}
+`,
+        language: 'typescript',
+        size: 200,
+      },
+    },
+    {
+      name: 'XXE - PHP simplexml (unprotected)',
+      expectFindings: true,
+      expectedCategories: ['xxe'],
+      description: 'PHP simplexml_load_string without entity disable must be detected',
+      file: {
+        path: 'src/parser.php',
+        content: `
+<?php
+
+function parseUserXml($xmlString) {
+    // Vulnerable: no entity loader disabled
+    $xml = simplexml_load_string($xmlString);
+    return $xml->name;
+}
+`,
+        language: 'php',
+        size: 150,
+      },
+    },
+  ],
+
+  falseNegatives: [
+    {
+      name: 'XXE - Python with defusedxml (safe)',
+      expectFindings: false,
+      description: 'Python file using defusedxml is safe',
+      file: {
+        path: 'src/safe_parser.py',
+        content: `
+import defusedxml.ElementTree as ET
+
+def parse_user_xml(xml_data):
+    # Safe: using defusedxml
+    tree = ET.parse(xml_data)
+    root = tree.getroot()
+    return root.find('name').text
+`,
+        language: 'python',
+        size: 200,
+      },
+    },
+    {
+      name: 'XXE - Java with DTD Disabled (safe)',
+      expectFindings: false,
+      description: 'Java DocumentBuilderFactory with disallow-doctype-decl is safe',
+      file: {
+        path: 'src/SafeXmlService.java',
+        content: `
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.DocumentBuilder;
+
+public class SafeXmlService {
+    public Document parseXml(String xml) throws Exception {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        // Safe: DTD disabled
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        DocumentBuilder builder = factory.newDocumentBuilder();
+        return builder.parse(new InputSource(new StringReader(xml)));
+    }
+}
+`,
+        language: 'java',
+        size: 300,
+      },
+    },
+    {
+      name: 'XXE - Python with defusedxml import (safe)',
+      expectFindings: false,
+      description: 'Python file importing defusedxml even if using ET alias',
+      file: {
+        path: 'src/xml_utils.py',
+        content: `
+from defusedxml.ElementTree import parse, fromstring
+
+def load_config(path):
+    tree = parse(path)
+    return tree.getroot()
+
+def parse_string(xml_str):
+    return fromstring(xml_str)
+`,
+        language: 'python',
+        size: 200,
+      },
+    },
+    {
+      name: 'XXE - Browser DOMParser in TSX (safe)',
+      expectFindings: false,
+      description: 'Browser DOMParser in client-side TSX is inherently safe',
+      file: {
+        path: 'src/components/XmlViewer.tsx',
+        content: `
+'use client'
+
+export function XmlViewer({ xml }: { xml: string }) {
+  const parser = new DOMParser()
+  const doc = parser.parseFromString(xml, 'text/xml')
+  return <pre>{doc.documentElement.textContent}</pre>
+}
+`,
+        language: 'typescript',
+        size: 200,
+      },
+      allowedInfoFindings: [
+        {
+          category: 'xxe',
+          maxCount: 1,
+          reason: 'DOMParser in TSX may produce info-level finding',
+        },
+      ],
+    },
+  ],
+}

package/src/__tests__/benchmark/run-depth-validation.ts

@@ -3,10 +3,10 @@
  * Validates that local/verified/deep modes work correctly
  */
 
-import { runLayer1Scan } from '../../layer1'
-import { runLayer2Scan } from '../../layer2'
+import { runLayer1Scan } from '../../detect/secrets'
+import { runLayer2Scan } from '../../detect/structural'
 import { getTierForCategory, isTierVisibleAtDepth, formatTierStats, computeTierStats } from '../../tiers'
-import type { ScanFile, ScanDepth, Vulnerability } from '../../types'
+import type { ScanFile, ScanDepth, Vulnerability } from '../../shared/types'
 
 // Test fixture with various vulnerability types
 const testFile: ScanFile = {

package/src/__tests__/benchmark/run-real-world-test.ts

@@ -5,11 +5,11 @@
 
 import * as fs from 'fs'
 import * as path from 'path'
-import { runLayer1Scan } from '../../layer1'
-import { runLayer2Scan } from '../../layer2'
+import { runLayer1Scan } from '../../detect/secrets'
+import { runLayer2Scan } from '../../detect/structural'
 import { formatTierStats, computeTierStats } from '../../tiers'
-import { formatTerminalOutput } from '../../formatters/cli-terminal'
-import type { ScanFile, Vulnerability, ScanResult } from '../../types'
+import { formatTerminalOutput } from '../../report/formatters/cli-terminal'
+import type { ScanFile, Vulnerability, ScanResult } from '../../shared/types'
 
 /**
  * Test result for a directory scan

package/src/__tests__/benchmark/types.ts

@@ -2,7 +2,7 @@
  * Shared types for the security benchmark test suite
  */
 
-import type { ScanFile, Vulnerability, VulnerabilityCategory, VulnerabilitySeverity } from '../../types'
+import type { ScanFile, Vulnerability, VulnerabilityCategory, VulnerabilitySeverity } from '../../shared/types'
 
 /**
  * A test fixture containing a file to scan and expected results

package/src/__tests__/benchmark/utils/test-runner.ts

@@ -2,8 +2,8 @@
  * Test runner utilities for the security benchmark suite
  */
 
-import { runLayer1Scan } from '../../../layer1'
-import { runLayer2Scan } from '../../../layer2'
+import { runLayer1Scan } from '../../../detect/secrets'
+import { runLayer2Scan } from '../../../detect/structural'
 import { computeTierStats, formatTierStats, getTierForCategory } from '../../../tiers'
 import type {
   TestFixture,
@@ -14,7 +14,7 @@ import type {
   DetectorMetrics,
   SeverityMetrics
 } from '../types'
-import type { Vulnerability, VulnerabilityCategory } from '../../../types'
+import type { Vulnerability, VulnerabilityCategory } from '../../../shared/types'
 
 /**
  * Run a single test fixture

package/src/__tests__/category-filter.test.ts

@@ -17,8 +17,8 @@ import {
   validateCategories,
   CATEGORY_GROUPS,
   ALL_CATEGORIES,
-} from '../category-filter'
-import type { Vulnerability, VulnerabilityCategory } from '../types'
+} from '../shared/category-filter'
+import type { Vulnerability, VulnerabilityCategory } from '../shared/types'
 
 // Helper to create a minimal vulnerability for testing
 function createVulnerability(