@oculum/scanner 1.0.12 → 1.0.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/detect/ai-code/agent-tools.d.ts +22 -0
- package/dist/detect/ai-code/agent-tools.d.ts.map +1 -0
- package/dist/detect/ai-code/agent-tools.js +1509 -0
- package/dist/detect/ai-code/agent-tools.js.map +1 -0
- package/dist/detect/ai-code/byok-patterns.d.ts +15 -0
- package/dist/detect/ai-code/byok-patterns.d.ts.map +1 -0
- package/dist/detect/ai-code/byok-patterns.js +313 -0
- package/dist/detect/ai-code/byok-patterns.js.map +1 -0
- package/dist/detect/ai-code/endpoint-protection.d.ts +38 -0
- package/dist/detect/ai-code/endpoint-protection.d.ts.map +1 -0
- package/dist/detect/ai-code/endpoint-protection.js +349 -0
- package/dist/detect/ai-code/endpoint-protection.js.map +1 -0
- package/dist/detect/ai-code/execution-sinks.d.ts +21 -0
- package/dist/detect/ai-code/execution-sinks.d.ts.map +1 -0
- package/dist/detect/ai-code/execution-sinks.js +1158 -0
- package/dist/detect/ai-code/execution-sinks.js.map +1 -0
- package/dist/detect/ai-code/fingerprinting.d.ts +10 -0
- package/dist/detect/ai-code/fingerprinting.d.ts.map +1 -0
- package/dist/detect/ai-code/fingerprinting.js +665 -0
- package/dist/detect/ai-code/fingerprinting.js.map +1 -0
- package/dist/detect/ai-code/index.d.ts +12 -0
- package/dist/detect/ai-code/index.d.ts.map +1 -0
- package/dist/detect/ai-code/index.js +26 -0
- package/dist/detect/ai-code/index.js.map +1 -0
- package/dist/detect/ai-code/mcp-security.d.ts +20 -0
- package/dist/detect/ai-code/mcp-security.d.ts.map +1 -0
- package/dist/detect/ai-code/mcp-security.js +880 -0
- package/dist/detect/ai-code/mcp-security.js.map +1 -0
- package/dist/detect/ai-code/model-supply-chain.d.ts +23 -0
- package/dist/detect/ai-code/model-supply-chain.d.ts.map +1 -0
- package/dist/detect/ai-code/model-supply-chain.js +447 -0
- package/dist/detect/ai-code/model-supply-chain.js.map +1 -0
- package/dist/detect/ai-code/package-hallucination.d.ts +22 -0
- package/dist/detect/ai-code/package-hallucination.d.ts.map +1 -0
- package/dist/detect/ai-code/package-hallucination.js +841 -0
- package/dist/detect/ai-code/package-hallucination.js.map +1 -0
- package/dist/detect/ai-code/prompt-hygiene.d.ts +22 -0
- package/dist/detect/ai-code/prompt-hygiene.d.ts.map +1 -0
- package/dist/detect/ai-code/prompt-hygiene.js +1177 -0
- package/dist/detect/ai-code/prompt-hygiene.js.map +1 -0
- package/dist/detect/ai-code/rag-safety.d.ts +24 -0
- package/dist/detect/ai-code/rag-safety.d.ts.map +1 -0
- package/dist/detect/ai-code/rag-safety.js +913 -0
- package/dist/detect/ai-code/rag-safety.js.map +1 -0
- package/dist/detect/ai-code/schema-validation.d.ts +28 -0
- package/dist/detect/ai-code/schema-validation.d.ts.map +1 -0
- package/dist/detect/ai-code/schema-validation.js +378 -0
- package/dist/detect/ai-code/schema-validation.js.map +1 -0
- package/dist/detect/config/agent-skill-injection.d.ts +27 -0
- package/dist/detect/config/agent-skill-injection.d.ts.map +1 -0
- package/dist/detect/config/agent-skill-injection.js +472 -0
- package/dist/detect/config/agent-skill-injection.js.map +1 -0
- package/dist/detect/config/comments.d.ts +11 -0
- package/dist/detect/config/comments.d.ts.map +1 -0
- package/dist/detect/config/comments.js +206 -0
- package/dist/detect/config/comments.js.map +1 -0
- package/dist/detect/config/file-flags.d.ts +10 -0
- package/dist/detect/config/file-flags.d.ts.map +1 -0
- package/dist/detect/config/file-flags.js +124 -0
- package/dist/detect/config/file-flags.js.map +1 -0
- package/dist/detect/config/index.d.ts +7 -0
- package/dist/detect/config/index.d.ts.map +1 -0
- package/dist/detect/config/index.js +17 -0
- package/dist/detect/config/index.js.map +1 -0
- package/dist/detect/config/osv-check.d.ts +75 -0
- package/dist/detect/config/osv-check.d.ts.map +1 -0
- package/dist/detect/config/osv-check.js +309 -0
- package/dist/detect/config/osv-check.js.map +1 -0
- package/dist/detect/config/package-check.d.ts +63 -0
- package/dist/detect/config/package-check.d.ts.map +1 -0
- package/dist/detect/config/package-check.js +509 -0
- package/dist/detect/config/package-check.js.map +1 -0
- package/dist/detect/config/urls.d.ts +11 -0
- package/dist/detect/config/urls.d.ts.map +1 -0
- package/dist/detect/config/urls.js +450 -0
- package/dist/detect/config/urls.js.map +1 -0
- package/dist/detect/index.d.ts +37 -0
- package/dist/detect/index.d.ts.map +1 -0
- package/dist/detect/index.js +77 -0
- package/dist/detect/index.js.map +1 -0
- package/dist/detect/secrets/config-audit.d.ts +16 -0
- package/dist/detect/secrets/config-audit.d.ts.map +1 -0
- package/dist/detect/secrets/config-audit.js +410 -0
- package/dist/detect/secrets/config-audit.js.map +1 -0
- package/dist/detect/secrets/config-mcp-audit.d.ts +23 -0
- package/dist/detect/secrets/config-mcp-audit.d.ts.map +1 -0
- package/dist/detect/secrets/config-mcp-audit.js +243 -0
- package/dist/detect/secrets/config-mcp-audit.js.map +1 -0
- package/dist/detect/secrets/entropy.d.ts +11 -0
- package/dist/detect/secrets/entropy.d.ts.map +1 -0
- package/dist/detect/secrets/entropy.js +751 -0
- package/dist/detect/secrets/entropy.js.map +1 -0
- package/dist/detect/secrets/index.d.ts +36 -0
- package/dist/detect/secrets/index.d.ts.map +1 -0
- package/dist/detect/secrets/index.js +174 -0
- package/dist/detect/secrets/index.js.map +1 -0
- package/dist/detect/secrets/patterns.d.ts +11 -0
- package/dist/detect/secrets/patterns.d.ts.map +1 -0
- package/dist/detect/secrets/patterns.js +518 -0
- package/dist/detect/secrets/patterns.js.map +1 -0
- package/dist/detect/secrets/weak-crypto.d.ts +10 -0
- package/dist/detect/secrets/weak-crypto.d.ts.map +1 -0
- package/dist/detect/secrets/weak-crypto.js +432 -0
- package/dist/detect/secrets/weak-crypto.js.map +1 -0
- package/dist/detect/structural/auth-patterns.d.ts +22 -0
- package/dist/detect/structural/auth-patterns.d.ts.map +1 -0
- package/dist/detect/structural/auth-patterns.js +533 -0
- package/dist/detect/structural/auth-patterns.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/child-process.d.ts +16 -0
- package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/child-process.js +74 -0
- package/dist/detect/structural/dangerous-functions/child-process.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +34 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.js +230 -0
- package/dist/detect/structural/dangerous-functions/dom-xss.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/index.d.ts +16 -0
- package/dist/detect/structural/dangerous-functions/index.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/index.js +1193 -0
- package/dist/detect/structural/dangerous-functions/index.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts +31 -0
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/json-parse.js +326 -0
- package/dist/detect/structural/dangerous-functions/json-parse.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/math-random.d.ts +111 -0
- package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/math-random.js +684 -0
- package/dist/detect/structural/dangerous-functions/math-random.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/patterns.d.ts +21 -0
- package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/patterns.js +163 -0
- package/dist/detect/structural/dangerous-functions/patterns.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts +13 -0
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/request-validation.js +126 -0
- package/dist/detect/structural/dangerous-functions/request-validation.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +24 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js +70 -0
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +31 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.js +147 -0
- package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts +9 -0
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/index.js +23 -0
- package/dist/detect/structural/dangerous-functions/utils/index.js.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +22 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +102 -0
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +1 -0
- package/dist/detect/structural/data-exposure.d.ts +19 -0
- package/dist/detect/structural/data-exposure.d.ts.map +1 -0
- package/dist/detect/structural/data-exposure.js +262 -0
- package/dist/detect/structural/data-exposure.js.map +1 -0
- package/dist/detect/structural/framework-checks.d.ts +10 -0
- package/dist/detect/structural/framework-checks.d.ts.map +1 -0
- package/dist/detect/structural/framework-checks.js +389 -0
- package/dist/detect/structural/framework-checks.js.map +1 -0
- package/dist/detect/structural/index.d.ts +71 -0
- package/dist/detect/structural/index.d.ts.map +1 -0
- package/dist/detect/structural/index.js +510 -0
- package/dist/detect/structural/index.js.map +1 -0
- package/dist/detect/structural/log-injection.d.ts +18 -0
- package/dist/detect/structural/log-injection.d.ts.map +1 -0
- package/dist/detect/structural/log-injection.js +217 -0
- package/dist/detect/structural/log-injection.js.map +1 -0
- package/dist/detect/structural/logic-gates.d.ts +10 -0
- package/dist/detect/structural/logic-gates.d.ts.map +1 -0
- package/dist/detect/structural/logic-gates.js +227 -0
- package/dist/detect/structural/logic-gates.js.map +1 -0
- package/dist/detect/structural/risky-imports.d.ts +10 -0
- package/dist/detect/structural/risky-imports.d.ts.map +1 -0
- package/dist/detect/structural/risky-imports.js +168 -0
- package/dist/detect/structural/risky-imports.js.map +1 -0
- package/dist/detect/structural/security-headers.d.ts +18 -0
- package/dist/detect/structural/security-headers.d.ts.map +1 -0
- package/dist/detect/structural/security-headers.js +196 -0
- package/dist/detect/structural/security-headers.js.map +1 -0
- package/dist/detect/structural/ssrf-detection.d.ts +18 -0
- package/dist/detect/structural/ssrf-detection.d.ts.map +1 -0
- package/dist/detect/structural/ssrf-detection.js +263 -0
- package/dist/detect/structural/ssrf-detection.js.map +1 -0
- package/dist/detect/structural/variables.d.ts +11 -0
- package/dist/detect/structural/variables.d.ts.map +1 -0
- package/dist/detect/structural/variables.js +159 -0
- package/dist/detect/structural/variables.js.map +1 -0
- package/dist/detect/structural/xxe-detection.d.ts +18 -0
- package/dist/detect/structural/xxe-detection.d.ts.map +1 -0
- package/dist/detect/structural/xxe-detection.js +245 -0
- package/dist/detect/structural/xxe-detection.js.map +1 -0
- package/dist/index.d.ts +17 -64
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +49 -1034
- package/dist/index.js.map +1 -1
- package/dist/layer2/framework-checks.d.ts.map +1 -1
- package/dist/layer2/framework-checks.js +1 -8
- package/dist/layer2/framework-checks.js.map +1 -1
- package/dist/layer2/index.d.ts +4 -0
- package/dist/layer2/index.d.ts.map +1 -1
- package/dist/layer2/index.js +50 -1
- package/dist/layer2/index.js.map +1 -1
- package/dist/layer2/log-injection.d.ts +18 -0
- package/dist/layer2/log-injection.d.ts.map +1 -0
- package/dist/layer2/log-injection.js +214 -0
- package/dist/layer2/log-injection.js.map +1 -0
- package/dist/layer2/security-headers.d.ts +18 -0
- package/dist/layer2/security-headers.d.ts.map +1 -0
- package/dist/layer2/security-headers.js +187 -0
- package/dist/layer2/security-headers.js.map +1 -0
- package/dist/layer2/ssrf-detection.d.ts +18 -0
- package/dist/layer2/ssrf-detection.d.ts.map +1 -0
- package/dist/layer2/ssrf-detection.js +252 -0
- package/dist/layer2/ssrf-detection.js.map +1 -0
- package/dist/layer2/xxe-detection.d.ts +18 -0
- package/dist/layer2/xxe-detection.d.ts.map +1 -0
- package/dist/layer2/xxe-detection.js +242 -0
- package/dist/layer2/xxe-detection.js.map +1 -0
- package/dist/layer3/anthropic/prompts/index.d.ts +1 -1
- package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -1
- package/dist/layer3/anthropic/prompts/index.js +3 -1
- package/dist/layer3/anthropic/prompts/index.js.map +1 -1
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +19 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +156 -0
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +9 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.js +25 -0
- package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/common.d.ts +11 -0
- package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/common.js +152 -0
- package/dist/layer3/anthropic/prompts/modules/common.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/index.d.ts +54 -0
- package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/index.js +185 -0
- package/dist/layer3/anthropic/prompts/modules/index.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +84 -0
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +68 -0
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +8 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +1 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +22 -0
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +1 -0
- package/dist/layer3/anthropic/prompts/validation.d.ts +9 -3
- package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -1
- package/dist/layer3/anthropic/prompts/validation.js +14 -410
- package/dist/layer3/anthropic/prompts/validation.js.map +1 -1
- package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -1
- package/dist/layer3/anthropic/providers/anthropic.js +6 -3
- package/dist/layer3/anthropic/providers/anthropic.js.map +1 -1
- package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -1
- package/dist/layer3/anthropic/providers/openai.js +6 -3
- package/dist/layer3/anthropic/providers/openai.js.map +1 -1
- package/dist/layer3/anthropic/request-builder.d.ts +11 -4
- package/dist/layer3/anthropic/request-builder.d.ts.map +1 -1
- package/dist/layer3/anthropic/request-builder.js +32 -16
- package/dist/layer3/anthropic/request-builder.js.map +1 -1
- package/dist/layer3/anthropic/utils/context-extractor.d.ts +55 -0
- package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +1 -0
- package/dist/layer3/anthropic/utils/context-extractor.js +161 -0
- package/dist/layer3/anthropic/utils/context-extractor.js.map +1 -0
- package/dist/layer3/anthropic/utils/index.d.ts +2 -0
- package/dist/layer3/anthropic/utils/index.d.ts.map +1 -1
- package/dist/layer3/anthropic/utils/index.js +4 -1
- package/dist/layer3/anthropic/utils/index.js.map +1 -1
- package/dist/model/auth-helper-detector.d.ts +56 -0
- package/dist/model/auth-helper-detector.d.ts.map +1 -0
- package/dist/model/auth-helper-detector.js +360 -0
- package/dist/model/auth-helper-detector.js.map +1 -0
- package/dist/model/cross-file-taint.d.ts +40 -0
- package/dist/model/cross-file-taint.d.ts.map +1 -0
- package/dist/model/cross-file-taint.js +290 -0
- package/dist/model/cross-file-taint.js.map +1 -0
- package/dist/model/framework-models/django.d.ts +9 -0
- package/dist/model/framework-models/django.d.ts.map +1 -0
- package/dist/model/framework-models/django.js +82 -0
- package/dist/model/framework-models/django.js.map +1 -0
- package/dist/model/framework-models/express.d.ts +9 -0
- package/dist/model/framework-models/express.d.ts.map +1 -0
- package/dist/model/framework-models/express.js +52 -0
- package/dist/model/framework-models/express.js.map +1 -0
- package/dist/model/framework-models/index.d.ts +20 -0
- package/dist/model/framework-models/index.d.ts.map +1 -0
- package/dist/model/framework-models/index.js +102 -0
- package/dist/model/framework-models/index.js.map +1 -0
- package/dist/model/framework-models/nextjs.d.ts +9 -0
- package/dist/model/framework-models/nextjs.d.ts.map +1 -0
- package/dist/model/framework-models/nextjs.js +71 -0
- package/dist/model/framework-models/nextjs.js.map +1 -0
- package/dist/model/framework-models/prisma.d.ts +10 -0
- package/dist/model/framework-models/prisma.d.ts.map +1 -0
- package/dist/model/framework-models/prisma.js +54 -0
- package/dist/model/framework-models/prisma.js.map +1 -0
- package/dist/model/framework-models/react.d.ts +9 -0
- package/dist/model/framework-models/react.d.ts.map +1 -0
- package/dist/model/framework-models/react.js +67 -0
- package/dist/model/framework-models/react.js.map +1 -0
- package/dist/model/framework-models/sequelize.d.ts +9 -0
- package/dist/model/framework-models/sequelize.d.ts.map +1 -0
- package/dist/model/framework-models/sequelize.js +62 -0
- package/dist/model/framework-models/sequelize.js.map +1 -0
- package/dist/model/framework-models/types.d.ts +43 -0
- package/dist/model/framework-models/types.d.ts.map +1 -0
- package/dist/model/framework-models/types.js +10 -0
- package/dist/model/framework-models/types.js.map +1 -0
- package/dist/model/function-classifier.d.ts +32 -0
- package/dist/model/function-classifier.d.ts.map +1 -0
- package/dist/model/function-classifier.js +143 -0
- package/dist/model/function-classifier.js.map +1 -0
- package/dist/model/import-resolver.d.ts +45 -0
- package/dist/model/import-resolver.d.ts.map +1 -0
- package/dist/model/import-resolver.js +410 -0
- package/dist/model/import-resolver.js.map +1 -0
- package/dist/model/imported-auth-detector.d.ts +38 -0
- package/dist/model/imported-auth-detector.d.ts.map +1 -0
- package/dist/model/imported-auth-detector.js +199 -0
- package/dist/model/imported-auth-detector.js.map +1 -0
- package/dist/model/index.d.ts +63 -0
- package/dist/model/index.d.ts.map +1 -0
- package/dist/model/index.js +272 -0
- package/dist/model/index.js.map +1 -0
- package/dist/model/middleware-detector.d.ts +55 -0
- package/dist/model/middleware-detector.d.ts.map +1 -0
- package/dist/model/middleware-detector.js +382 -0
- package/dist/model/middleware-detector.js.map +1 -0
- package/dist/model/module-graph.d.ts +46 -0
- package/dist/model/module-graph.d.ts.map +1 -0
- package/dist/model/module-graph.js +187 -0
- package/dist/model/module-graph.js.map +1 -0
- package/dist/model/oauth-flow-detector.d.ts +41 -0
- package/dist/model/oauth-flow-detector.d.ts.map +1 -0
- package/dist/model/oauth-flow-detector.js +202 -0
- package/dist/model/oauth-flow-detector.js.map +1 -0
- package/dist/model/project-context.d.ts +119 -0
- package/dist/model/project-context.d.ts.map +1 -0
- package/dist/model/project-context.js +534 -0
- package/dist/model/project-context.js.map +1 -0
- package/dist/model/route-auth-resolver.d.ts +27 -0
- package/dist/model/route-auth-resolver.d.ts.map +1 -0
- package/dist/model/route-auth-resolver.js +182 -0
- package/dist/model/route-auth-resolver.js.map +1 -0
- package/dist/model/route-discovery/express.d.ts +25 -0
- package/dist/model/route-discovery/express.d.ts.map +1 -0
- package/dist/model/route-discovery/express.js +225 -0
- package/dist/model/route-discovery/express.js.map +1 -0
- package/dist/model/route-discovery/index.d.ts +21 -0
- package/dist/model/route-discovery/index.d.ts.map +1 -0
- package/dist/model/route-discovery/index.js +67 -0
- package/dist/model/route-discovery/index.js.map +1 -0
- package/dist/model/route-discovery/nextjs.d.ts +16 -0
- package/dist/model/route-discovery/nextjs.d.ts.map +1 -0
- package/dist/model/route-discovery/nextjs.js +179 -0
- package/dist/model/route-discovery/nextjs.js.map +1 -0
- package/dist/model/route-discovery/python.d.ts +16 -0
- package/dist/model/route-discovery/python.d.ts.map +1 -0
- package/dist/model/route-discovery/python.js +181 -0
- package/dist/model/route-discovery/python.js.map +1 -0
- package/dist/model/route-discovery/types.d.ts +36 -0
- package/dist/model/route-discovery/types.d.ts.map +1 -0
- package/dist/model/route-discovery/types.js +16 -0
- package/dist/model/route-discovery/types.js.map +1 -0
- package/dist/model/route-discovery/utils.d.ts +18 -0
- package/dist/model/route-discovery/utils.d.ts.map +1 -0
- package/dist/model/route-discovery/utils.js +55 -0
- package/dist/model/route-discovery/utils.js.map +1 -0
- package/dist/model/route-hierarchy.d.ts +50 -0
- package/dist/model/route-hierarchy.d.ts.map +1 -0
- package/dist/model/route-hierarchy.js +226 -0
- package/dist/model/route-hierarchy.js.map +1 -0
- package/dist/model/sanitiser-detection.d.ts +27 -0
- package/dist/model/sanitiser-detection.d.ts.map +1 -0
- package/dist/model/sanitiser-detection.js +224 -0
- package/dist/model/sanitiser-detection.js.map +1 -0
- package/dist/model/sink-matcher.d.ts +17 -0
- package/dist/model/sink-matcher.d.ts.map +1 -0
- package/dist/model/sink-matcher.js +141 -0
- package/dist/model/sink-matcher.js.map +1 -0
- package/dist/model/sink-patterns.d.ts +19 -0
- package/dist/model/sink-patterns.d.ts.map +1 -0
- package/dist/model/sink-patterns.js +88 -0
- package/dist/model/sink-patterns.js.map +1 -0
- package/dist/model/source-discovery.d.ts +15 -0
- package/dist/model/source-discovery.d.ts.map +1 -0
- package/dist/model/source-discovery.js +170 -0
- package/dist/model/source-discovery.js.map +1 -0
- package/dist/model/taint-tracker.d.ts +21 -0
- package/dist/model/taint-tracker.d.ts.map +1 -0
- package/dist/model/taint-tracker.js +281 -0
- package/dist/model/taint-tracker.js.map +1 -0
- package/dist/model/taint-types.d.ts +74 -0
- package/dist/model/taint-types.d.ts.map +1 -0
- package/dist/model/taint-types.js +9 -0
- package/dist/model/taint-types.js.map +1 -0
- package/dist/model/trpc-analyzer.d.ts +78 -0
- package/dist/model/trpc-analyzer.d.ts.map +1 -0
- package/dist/model/trpc-analyzer.js +297 -0
- package/dist/model/trpc-analyzer.js.map +1 -0
- package/dist/parse/file-classifier.d.ts +228 -0
- package/dist/parse/file-classifier.d.ts.map +1 -0
- package/dist/parse/file-classifier.js +933 -0
- package/dist/parse/file-classifier.js.map +1 -0
- package/dist/parse/path-exclusions.d.ts +55 -0
- package/dist/parse/path-exclusions.d.ts.map +1 -0
- package/dist/parse/path-exclusions.js +224 -0
- package/dist/parse/path-exclusions.js.map +1 -0
- package/dist/pipeline/config.d.ts +41 -0
- package/dist/pipeline/config.d.ts.map +1 -0
- package/dist/pipeline/config.js +46 -0
- package/dist/pipeline/config.js.map +1 -0
- package/dist/pipeline/index.d.ts +34 -0
- package/dist/pipeline/index.d.ts.map +1 -0
- package/dist/pipeline/index.js +398 -0
- package/dist/pipeline/index.js.map +1 -0
- package/dist/pipeline/modes/incremental.d.ts +66 -0
- package/dist/pipeline/modes/incremental.d.ts.map +1 -0
- package/dist/pipeline/modes/incremental.js +200 -0
- package/dist/pipeline/modes/incremental.js.map +1 -0
- package/dist/postprocess/aggregation.d.ts +14 -0
- package/dist/postprocess/aggregation.d.ts.map +1 -0
- package/dist/postprocess/aggregation.js +63 -0
- package/dist/postprocess/aggregation.js.map +1 -0
- package/dist/postprocess/contradictions.d.ts +18 -0
- package/dist/postprocess/contradictions.d.ts.map +1 -0
- package/dist/postprocess/contradictions.js +99 -0
- package/dist/postprocess/contradictions.js.map +1 -0
- package/dist/postprocess/dedup.d.ts +13 -0
- package/dist/postprocess/dedup.d.ts.map +1 -0
- package/dist/postprocess/dedup.js +58 -0
- package/dist/postprocess/dedup.js.map +1 -0
- package/dist/postprocess/filtering/context-adjustments.d.ts +23 -0
- package/dist/postprocess/filtering/context-adjustments.d.ts.map +1 -0
- package/dist/postprocess/filtering/context-adjustments.js +100 -0
- package/dist/postprocess/filtering/context-adjustments.js.map +1 -0
- package/dist/postprocess/filtering/index.d.ts +3 -0
- package/dist/postprocess/filtering/index.d.ts.map +1 -0
- package/dist/postprocess/filtering/index.js +8 -0
- package/dist/postprocess/filtering/index.js.map +1 -0
- package/dist/postprocess/filtering/pipeline.d.ts +48 -0
- package/dist/postprocess/filtering/pipeline.d.ts.map +1 -0
- package/dist/postprocess/filtering/pipeline.js +76 -0
- package/dist/postprocess/filtering/pipeline.js.map +1 -0
- package/dist/postprocess/index.d.ts +41 -0
- package/dist/postprocess/index.d.ts.map +1 -0
- package/dist/postprocess/index.js +85 -0
- package/dist/postprocess/index.js.map +1 -0
- package/dist/postprocess/suppression/config-loader.d.ts +74 -0
- package/dist/postprocess/suppression/config-loader.d.ts.map +1 -0
- package/dist/postprocess/suppression/config-loader.js +424 -0
- package/dist/postprocess/suppression/config-loader.js.map +1 -0
- package/dist/postprocess/suppression/hash.d.ts +48 -0
- package/dist/postprocess/suppression/hash.d.ts.map +1 -0
- package/dist/postprocess/suppression/hash.js +88 -0
- package/dist/postprocess/suppression/hash.js.map +1 -0
- package/dist/postprocess/suppression/index.d.ts +11 -0
- package/dist/postprocess/suppression/index.d.ts.map +1 -0
- package/dist/postprocess/suppression/index.js +39 -0
- package/dist/postprocess/suppression/index.js.map +1 -0
- package/dist/postprocess/suppression/inline-parser.d.ts +39 -0
- package/dist/postprocess/suppression/inline-parser.d.ts.map +1 -0
- package/dist/postprocess/suppression/inline-parser.js +218 -0
- package/dist/postprocess/suppression/inline-parser.js.map +1 -0
- package/dist/postprocess/suppression/manager.d.ts +94 -0
- package/dist/postprocess/suppression/manager.d.ts.map +1 -0
- package/dist/postprocess/suppression/manager.js +292 -0
- package/dist/postprocess/suppression/manager.js.map +1 -0
- package/dist/postprocess/suppression/types.d.ts +151 -0
- package/dist/postprocess/suppression/types.d.ts.map +1 -0
- package/dist/postprocess/suppression/types.js +28 -0
- package/dist/postprocess/suppression/types.js.map +1 -0
- package/dist/postprocess/validation-cap.d.ts +17 -0
- package/dist/postprocess/validation-cap.d.ts.map +1 -0
- package/dist/postprocess/validation-cap.js +64 -0
- package/dist/postprocess/validation-cap.js.map +1 -0
- package/dist/report/build-result.d.ts +33 -0
- package/dist/report/build-result.d.ts.map +1 -0
- package/dist/report/build-result.js +59 -0
- package/dist/report/build-result.js.map +1 -0
- package/dist/report/enrichment.d.ts +19 -0
- package/dist/report/enrichment.d.ts.map +1 -0
- package/dist/report/enrichment.js +44 -0
- package/dist/report/enrichment.js.map +1 -0
- package/dist/report/formatters/ai-context.d.ts +23 -0
- package/dist/report/formatters/ai-context.d.ts.map +1 -0
- package/dist/report/formatters/ai-context.js +238 -0
- package/dist/report/formatters/ai-context.js.map +1 -0
- package/dist/report/formatters/cli-terminal.d.ts +65 -0
- package/dist/report/formatters/cli-terminal.d.ts.map +1 -0
- package/dist/report/formatters/cli-terminal.js +735 -0
- package/dist/report/formatters/cli-terminal.js.map +1 -0
- package/dist/report/formatters/github-comment.d.ts +41 -0
- package/dist/report/formatters/github-comment.d.ts.map +1 -0
- package/dist/report/formatters/github-comment.js +370 -0
- package/dist/report/formatters/github-comment.js.map +1 -0
- package/dist/report/formatters/grouping.d.ts +52 -0
- package/dist/report/formatters/grouping.d.ts.map +1 -0
- package/dist/report/formatters/grouping.js +152 -0
- package/dist/report/formatters/grouping.js.map +1 -0
- package/dist/report/formatters/ide/claude-code.d.ts +17 -0
- package/dist/report/formatters/ide/claude-code.d.ts.map +1 -0
- package/dist/report/formatters/ide/claude-code.js +94 -0
- package/dist/report/formatters/ide/claude-code.js.map +1 -0
- package/dist/report/formatters/ide/cursor.d.ts +13 -0
- package/dist/report/formatters/ide/cursor.d.ts.map +1 -0
- package/dist/report/formatters/ide/cursor.js +125 -0
- package/dist/report/formatters/ide/cursor.js.map +1 -0
- package/dist/report/formatters/ide/index.d.ts +62 -0
- package/dist/report/formatters/ide/index.d.ts.map +1 -0
- package/dist/report/formatters/ide/index.js +184 -0
- package/dist/report/formatters/ide/index.js.map +1 -0
- package/dist/report/formatters/ide/windsurf.d.ts +13 -0
- package/dist/report/formatters/ide/windsurf.d.ts.map +1 -0
- package/dist/report/formatters/ide/windsurf.js +117 -0
- package/dist/report/formatters/ide/windsurf.js.map +1 -0
- package/dist/report/formatters/index.d.ts +11 -0
- package/dist/report/formatters/index.d.ts.map +1 -0
- package/dist/report/formatters/index.js +54 -0
- package/dist/report/formatters/index.js.map +1 -0
- package/dist/report/formatters/vscode-diagnostic.d.ts +103 -0
- package/dist/report/formatters/vscode-diagnostic.d.ts.map +1 -0
- package/dist/report/formatters/vscode-diagnostic.js +151 -0
- package/dist/report/formatters/vscode-diagnostic.js.map +1 -0
- package/dist/report/summary.d.ts +27 -0
- package/dist/report/summary.d.ts.map +1 -0
- package/dist/report/summary.js +57 -0
- package/dist/report/summary.js.map +1 -0
- package/dist/rules/metadata.d.ts.map +1 -1
- package/dist/rules/metadata.js +66 -0
- package/dist/rules/metadata.js.map +1 -1
- package/dist/score/adjustments.d.ts +22 -0
- package/dist/score/adjustments.d.ts.map +1 -0
- package/dist/score/adjustments.js +373 -0
- package/dist/score/adjustments.js.map +1 -0
- package/dist/score/auto-dismiss.d.ts +28 -0
- package/dist/score/auto-dismiss.d.ts.map +1 -0
- package/dist/score/auto-dismiss.js +200 -0
- package/dist/score/auto-dismiss.js.map +1 -0
- package/dist/score/confidence.d.ts +19 -0
- package/dist/score/confidence.d.ts.map +1 -0
- package/dist/score/confidence.js +52 -0
- package/dist/score/confidence.js.map +1 -0
- package/dist/score/index.d.ts +61 -0
- package/dist/score/index.d.ts.map +1 -0
- package/dist/score/index.js +250 -0
- package/dist/score/index.js.map +1 -0
- package/dist/score/types.d.ts +160 -0
- package/dist/score/types.d.ts.map +1 -0
- package/dist/score/types.js +14 -0
- package/dist/score/types.js.map +1 -0
- package/dist/shared/ai-context/index.d.ts +6 -0
- package/dist/shared/ai-context/index.d.ts.map +1 -0
- package/dist/shared/ai-context/index.js +13 -0
- package/dist/shared/ai-context/index.js.map +1 -0
- package/dist/shared/ai-context/manager.d.ts +67 -0
- package/dist/shared/ai-context/manager.d.ts.map +1 -0
- package/dist/shared/ai-context/manager.js +104 -0
- package/dist/shared/ai-context/manager.js.map +1 -0
- package/dist/shared/baseline/diff.d.ts +32 -0
- package/dist/shared/baseline/diff.d.ts.map +1 -0
- package/dist/shared/baseline/diff.js +119 -0
- package/dist/shared/baseline/diff.js.map +1 -0
- package/dist/shared/baseline/index.d.ts +9 -0
- package/dist/shared/baseline/index.d.ts.map +1 -0
- package/dist/shared/baseline/index.js +19 -0
- package/dist/shared/baseline/index.js.map +1 -0
- package/dist/shared/baseline/manager.d.ts +67 -0
- package/dist/shared/baseline/manager.d.ts.map +1 -0
- package/dist/shared/baseline/manager.js +180 -0
- package/dist/shared/baseline/manager.js.map +1 -0
- package/dist/shared/baseline/types.d.ts +91 -0
- package/dist/shared/baseline/types.d.ts.map +1 -0
- package/dist/shared/baseline/types.js +12 -0
- package/dist/shared/baseline/types.js.map +1 -0
- package/dist/shared/category-filter.d.ts +125 -0
- package/dist/shared/category-filter.d.ts.map +1 -0
- package/dist/shared/category-filter.js +360 -0
- package/dist/shared/category-filter.js.map +1 -0
- package/dist/shared/code-analysis.d.ts +39 -0
- package/dist/shared/code-analysis.d.ts.map +1 -0
- package/dist/shared/code-analysis.js +159 -0
- package/dist/shared/code-analysis.js.map +1 -0
- package/dist/shared/comment-analyzer.d.ts +38 -0
- package/dist/shared/comment-analyzer.d.ts.map +1 -0
- package/dist/shared/comment-analyzer.js +218 -0
- package/dist/shared/comment-analyzer.js.map +1 -0
- package/dist/shared/diff-detector.d.ts +53 -0
- package/dist/shared/diff-detector.d.ts.map +1 -0
- package/dist/shared/diff-detector.js +104 -0
- package/dist/shared/diff-detector.js.map +1 -0
- package/dist/shared/diff-parser.d.ts +80 -0
- package/dist/shared/diff-parser.d.ts.map +1 -0
- package/dist/shared/diff-parser.js +202 -0
- package/dist/shared/diff-parser.js.map +1 -0
- package/dist/shared/environment-context.d.ts +76 -0
- package/dist/shared/environment-context.d.ts.map +1 -0
- package/dist/shared/environment-context.js +271 -0
- package/dist/shared/environment-context.js.map +1 -0
- package/dist/shared/intent-detector.d.ts +66 -0
- package/dist/shared/intent-detector.d.ts.map +1 -0
- package/dist/shared/intent-detector.js +282 -0
- package/dist/shared/intent-detector.js.map +1 -0
- package/dist/shared/parsed-file.d.ts +51 -0
- package/dist/shared/parsed-file.d.ts.map +1 -0
- package/dist/shared/parsed-file.js +95 -0
- package/dist/shared/parsed-file.js.map +1 -0
- package/dist/shared/registry-clients.d.ts +93 -0
- package/dist/shared/registry-clients.d.ts.map +1 -0
- package/dist/shared/registry-clients.js +273 -0
- package/dist/shared/registry-clients.js.map +1 -0
- package/dist/shared/rules/framework-fixes.d.ts +48 -0
- package/dist/shared/rules/framework-fixes.d.ts.map +1 -0
- package/dist/shared/rules/framework-fixes.js +439 -0
- package/dist/shared/rules/framework-fixes.js.map +1 -0
- package/dist/shared/rules/index.d.ts +8 -0
- package/dist/shared/rules/index.d.ts.map +1 -0
- package/dist/shared/rules/index.js +18 -0
- package/dist/shared/rules/index.js.map +1 -0
- package/dist/shared/rules/metadata.d.ts +43 -0
- package/dist/shared/rules/metadata.d.ts.map +1 -0
- package/dist/shared/rules/metadata.js +819 -0
- package/dist/shared/rules/metadata.js.map +1 -0
- package/dist/shared/schema-semantics.d.ts +45 -0
- package/dist/shared/schema-semantics.d.ts.map +1 -0
- package/dist/shared/schema-semantics.js +193 -0
- package/dist/shared/schema-semantics.js.map +1 -0
- package/dist/shared/types.d.ts +337 -0
- package/dist/shared/types.d.ts.map +1 -0
- package/dist/shared/types.js +126 -0
- package/dist/shared/types.js.map +1 -0
- package/dist/tiers.d.ts +4 -4
- package/dist/tiers.d.ts.map +1 -1
- package/dist/tiers.js +11 -1
- package/dist/tiers.js.map +1 -1
- package/dist/types.d.ts +1 -1
- package/dist/types.d.ts.map +1 -1
- package/dist/types.js.map +1 -1
- package/dist/validate/clients.d.ts +44 -0
- package/dist/validate/clients.d.ts.map +1 -0
- package/dist/validate/clients.js +81 -0
- package/dist/validate/clients.js.map +1 -0
- package/dist/validate/index.d.ts +41 -0
- package/dist/validate/index.d.ts.map +1 -0
- package/dist/validate/index.js +141 -0
- package/dist/validate/index.js.map +1 -0
- package/dist/validate/prompts/index.d.ts +8 -0
- package/dist/validate/prompts/index.d.ts.map +1 -0
- package/dist/validate/prompts/index.js +16 -0
- package/dist/validate/prompts/index.js.map +1 -0
- package/dist/validate/prompts/modules/ai-patterns.d.ts +19 -0
- package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -0
- package/dist/validate/prompts/modules/ai-patterns.js +156 -0
- package/dist/validate/prompts/modules/ai-patterns.js.map +1 -0
- package/dist/validate/prompts/modules/auth-access.d.ts +9 -0
- package/dist/validate/prompts/modules/auth-access.d.ts.map +1 -0
- package/dist/validate/prompts/modules/auth-access.js +25 -0
- package/dist/validate/prompts/modules/auth-access.js.map +1 -0
- package/dist/validate/prompts/modules/common.d.ts +11 -0
- package/dist/validate/prompts/modules/common.d.ts.map +1 -0
- package/dist/validate/prompts/modules/common.js +186 -0
- package/dist/validate/prompts/modules/common.js.map +1 -0
- package/dist/validate/prompts/modules/index.d.ts +54 -0
- package/dist/validate/prompts/modules/index.d.ts.map +1 -0
- package/dist/validate/prompts/modules/index.js +186 -0
- package/dist/validate/prompts/modules/index.js.map +1 -0
- package/dist/validate/prompts/modules/owasp-classic.d.ts +8 -0
- package/dist/validate/prompts/modules/owasp-classic.d.ts.map +1 -0
- package/dist/validate/prompts/modules/owasp-classic.js +84 -0
- package/dist/validate/prompts/modules/owasp-classic.js.map +1 -0
- package/dist/validate/prompts/modules/secrets-crypto.d.ts +8 -0
- package/dist/validate/prompts/modules/secrets-crypto.d.ts.map +1 -0
- package/dist/validate/prompts/modules/secrets-crypto.js +68 -0
- package/dist/validate/prompts/modules/secrets-crypto.js.map +1 -0
- package/dist/validate/prompts/modules/xss-prompt.d.ts +8 -0
- package/dist/validate/prompts/modules/xss-prompt.d.ts.map +1 -0
- package/dist/validate/prompts/modules/xss-prompt.js +22 -0
- package/dist/validate/prompts/modules/xss-prompt.js.map +1 -0
- package/dist/validate/prompts/semantic-analysis.d.ts +15 -0
- package/dist/validate/prompts/semantic-analysis.d.ts.map +1 -0
- package/dist/validate/prompts/semantic-analysis.js +169 -0
- package/dist/validate/prompts/semantic-analysis.js.map +1 -0
- package/dist/validate/prompts/validation.d.ts +18 -0
- package/dist/validate/prompts/validation.d.ts.map +1 -0
- package/dist/validate/prompts/validation.js +25 -0
- package/dist/validate/prompts/validation.js.map +1 -0
- package/dist/validate/providers/anthropic.d.ts +17 -0
- package/dist/validate/providers/anthropic.d.ts.map +1 -0
- package/dist/validate/providers/anthropic.js +260 -0
- package/dist/validate/providers/anthropic.js.map +1 -0
- package/dist/validate/providers/index.d.ts +8 -0
- package/dist/validate/providers/index.d.ts.map +1 -0
- package/dist/validate/providers/index.js +13 -0
- package/dist/validate/providers/index.js.map +1 -0
- package/dist/validate/providers/openai.d.ts +14 -0
- package/dist/validate/providers/openai.d.ts.map +1 -0
- package/dist/validate/providers/openai.js +336 -0
- package/dist/validate/providers/openai.js.map +1 -0
- package/dist/validate/request-builder.d.ts +61 -0
- package/dist/validate/request-builder.d.ts.map +1 -0
- package/dist/validate/request-builder.js +346 -0
- package/dist/validate/request-builder.js.map +1 -0
- package/dist/validate/types.d.ts +88 -0
- package/dist/validate/types.d.ts.map +1 -0
- package/dist/validate/types.js +38 -0
- package/dist/validate/types.js.map +1 -0
- package/dist/validate/utils/context-extractor.d.ts +55 -0
- package/dist/validate/utils/context-extractor.d.ts.map +1 -0
- package/dist/validate/utils/context-extractor.js +161 -0
- package/dist/validate/utils/context-extractor.js.map +1 -0
- package/dist/validate/utils/index.d.ts +11 -0
- package/dist/validate/utils/index.d.ts.map +1 -0
- package/dist/validate/utils/index.js +27 -0
- package/dist/validate/utils/index.js.map +1 -0
- package/dist/validate/utils/path-helpers.d.ts +21 -0
- package/dist/validate/utils/path-helpers.d.ts.map +1 -0
- package/dist/validate/utils/path-helpers.js +69 -0
- package/dist/validate/utils/path-helpers.js.map +1 -0
- package/dist/validate/utils/response-parser.d.ts +40 -0
- package/dist/validate/utils/response-parser.d.ts.map +1 -0
- package/dist/validate/utils/response-parser.js +286 -0
- package/dist/validate/utils/response-parser.js.map +1 -0
- package/dist/validate/utils/retry.d.ts +15 -0
- package/dist/validate/utils/retry.d.ts.map +1 -0
- package/dist/validate/utils/retry.js +62 -0
- package/dist/validate/utils/retry.js.map +1 -0
- package/package.json +8 -7
- package/src/__tests__/benchmark/fixtures/layer1/agent-skill-injection.ts +204 -0
- package/src/__tests__/benchmark/fixtures/layer1/index.ts +3 -0
- package/src/__tests__/benchmark/fixtures/layer2/index.ts +15 -0
- package/src/__tests__/benchmark/fixtures/layer2/log-injection.ts +147 -0
- package/src/__tests__/benchmark/fixtures/layer2/security-headers.ts +197 -0
- package/src/__tests__/benchmark/fixtures/layer2/ssrf-detection.ts +210 -0
- package/src/__tests__/benchmark/fixtures/layer2/xxe-detection.ts +195 -0
- package/src/__tests__/benchmark/run-depth-validation.ts +3 -3
- package/src/__tests__/benchmark/run-real-world-test.ts +4 -4
- package/src/__tests__/benchmark/types.ts +1 -1
- package/src/__tests__/benchmark/utils/test-runner.ts +3 -3
- package/src/__tests__/category-filter.test.ts +2 -2
- package/src/__tests__/context-engine/cross-file-taint.test.ts +284 -0
- package/src/__tests__/context-engine/framework-models.test.ts +457 -0
- package/src/__tests__/context-engine/function-classifier.test.ts +146 -0
- package/src/__tests__/context-engine/import-resolver.test.ts +328 -0
- package/src/__tests__/context-engine/integration.test.ts +320 -0
- package/src/__tests__/context-engine/module-graph.test.ts +159 -0
- package/src/__tests__/context-engine/route-discovery/auth-resolver.test.ts +353 -0
- package/src/__tests__/context-engine/route-discovery/express.test.ts +150 -0
- package/src/__tests__/context-engine/route-discovery/nextjs.test.ts +138 -0
- package/src/__tests__/context-engine/route-discovery/python.test.ts +95 -0
- package/src/__tests__/context-engine/sanitiser-detection.test.ts +187 -0
- package/src/__tests__/context-engine/sink-matcher.test.ts +251 -0
- package/src/__tests__/context-engine/source-discovery.test.ts +186 -0
- package/src/__tests__/context-engine/taint-tracker.test.ts +182 -0
- package/src/__tests__/detect/postinstall-enrichment.test.ts +300 -0
- package/src/__tests__/regression/agent-skill-benign.test.ts +174 -0
- package/src/__tests__/regression/known-false-positives.test.ts +312 -4
- package/src/__tests__/score/adjustments.test.ts +385 -0
- package/src/__tests__/score/confidence.test.ts +283 -0
- package/src/__tests__/score/framework-scoring.test.ts +275 -0
- package/src/__tests__/score/route-scoring.test.ts +156 -0
- package/src/__tests__/score/scoring-integration.test.ts +165 -0
- package/src/__tests__/score/taint-adjustments.test.ts +244 -0
- package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +37 -49
- package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +52 -0
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +3 -3
- package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +2 -2
- package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +1 -1
- package/src/__tests__/snapshots/scan-depth.test.ts +3 -3
- package/src/__tests__/validate/route-annotations.test.ts +138 -0
- package/src/__tests__/validation/analyze-results.ts +1 -1
- package/src/__tests__/validation/extract-for-triage.ts +1 -1
- package/src/__tests__/validation/fp-deep-analysis.ts +1 -1
- package/src/{layer2/ai-agent-tools.ts → detect/ai-code/agent-tools.ts} +23 -3
- package/src/{layer2 → detect/ai-code}/byok-patterns.ts +17 -5
- package/src/{layer2/ai-endpoint-protection.ts → detect/ai-code/endpoint-protection.ts} +8 -4
- package/src/{layer2/ai-execution-sinks.ts → detect/ai-code/execution-sinks.ts} +8 -4
- package/src/{layer2/ai-fingerprinting.ts → detect/ai-code/fingerprinting.ts} +20 -4
- package/src/detect/ai-code/index.ts +11 -0
- package/src/{layer2/ai-mcp-security.ts → detect/ai-code/mcp-security.ts} +7 -3
- package/src/{layer2 → detect/ai-code}/model-supply-chain.ts +7 -3
- package/src/{layer2/ai-package-hallucination.ts → detect/ai-code/package-hallucination.ts} +18 -3
- package/src/{layer2/ai-prompt-hygiene.ts → detect/ai-code/prompt-hygiene.ts} +25 -3
- package/src/{layer2/ai-rag-safety.ts → detect/ai-code/rag-safety.ts} +7 -3
- package/src/{layer2/ai-schema-validation.ts → detect/ai-code/schema-validation.ts} +7 -3
- package/src/detect/config/agent-skill-injection.ts +551 -0
- package/src/{layer1 → detect/config}/comments.ts +6 -2
- package/src/{layer1 → detect/config}/file-flags.ts +9 -3
- package/src/detect/config/index.ts +6 -0
- package/src/{layer3 → detect/config}/osv-check.ts +3 -2
- package/src/{layer3 → detect/config}/package-check.ts +3 -2
- package/src/{layer1 → detect/config}/urls.ts +12 -5
- package/src/detect/index.ts +131 -0
- package/src/{layer1 → detect/secrets}/config-audit.ts +118 -2
- package/src/{layer1 → detect/secrets}/config-mcp-audit.ts +8 -3
- package/src/{layer1 → detect/secrets}/entropy.ts +23 -11
- package/src/{layer1 → detect/secrets}/index.ts +31 -30
- package/src/{layer1 → detect/secrets}/patterns.ts +10 -3
- package/src/{layer1 → detect/secrets}/weak-crypto.ts +7 -2
- package/src/{layer2/auth-antipatterns.ts → detect/structural/auth-patterns.ts} +23 -11
- package/src/{layer2 → detect/structural}/dangerous-functions/dom-xss.ts +1 -1
- package/src/{layer2 → detect/structural}/dangerous-functions/index.ts +47 -24
- package/src/{layer2 → detect/structural}/dangerous-functions/json-parse.ts +10 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/math-random.ts +2 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/patterns.ts +1 -1
- package/src/{layer2 → detect/structural}/dangerous-functions/request-validation.ts +10 -2
- package/src/{layer2 → detect/structural}/dangerous-functions/utils/control-flow.ts +2 -2
- package/src/{layer2 → detect/structural}/data-exposure.ts +11 -3
- package/src/{layer2 → detect/structural}/framework-checks.ts +10 -11
- package/src/{layer2 → detect/structural}/index.ts +80 -77
- package/src/detect/structural/log-injection.ts +254 -0
- package/src/{layer2 → detect/structural}/logic-gates.ts +13 -5
- package/src/{layer2 → detect/structural}/risky-imports.ts +7 -3
- package/src/detect/structural/security-headers.ts +231 -0
- package/src/detect/structural/ssrf-detection.ts +300 -0
- package/src/{layer2 → detect/structural}/variables.ts +7 -3
- package/src/detect/structural/xxe-detection.ts +295 -0
- package/src/index.ts +39 -1291
- package/src/{utils → model}/auth-helper-detector.ts +1 -1
- package/src/model/cross-file-taint.ts +374 -0
- package/src/model/framework-models/django.ts +82 -0
- package/src/model/framework-models/express.ts +54 -0
- package/src/model/framework-models/index.ts +116 -0
- package/src/model/framework-models/nextjs.ts +69 -0
- package/src/model/framework-models/prisma.ts +57 -0
- package/src/model/framework-models/react.ts +63 -0
- package/src/model/framework-models/sequelize.ts +63 -0
- package/src/model/framework-models/types.ts +46 -0
- package/src/model/function-classifier.ts +184 -0
- package/src/model/import-resolver.ts +453 -0
- package/src/{utils → model}/imported-auth-detector.ts +21 -85
- package/src/model/index.ts +353 -0
- package/src/{utils → model}/middleware-detector.ts +156 -17
- package/src/model/module-graph.ts +254 -0
- package/src/{utils → model}/oauth-flow-detector.ts +1 -1
- package/src/{utils/project-context-builder.ts → model/project-context.ts} +1 -1
- package/src/model/route-auth-resolver.ts +216 -0
- package/src/model/route-discovery/express.ts +251 -0
- package/src/model/route-discovery/index.ts +83 -0
- package/src/model/route-discovery/nextjs.ts +216 -0
- package/src/model/route-discovery/python.ts +214 -0
- package/src/model/route-discovery/types.ts +48 -0
- package/src/model/route-discovery/utils.ts +54 -0
- package/src/model/sanitiser-detection.ts +268 -0
- package/src/model/sink-matcher.ts +178 -0
- package/src/model/sink-patterns.ts +109 -0
- package/src/model/source-discovery.ts +209 -0
- package/src/model/taint-tracker.ts +333 -0
- package/src/model/taint-types.ts +149 -0
- package/src/{utils → model}/trpc-analyzer.ts +1 -1
- package/src/{utils/context-helpers.ts → parse/file-classifier.ts} +54 -0
- package/src/{utils → parse}/path-exclusions.ts +1 -1
- package/src/pipeline/config.ts +83 -0
- package/src/pipeline/index.ts +460 -0
- package/src/{modes → pipeline/modes}/incremental.ts +5 -5
- package/src/postprocess/aggregation.ts +74 -0
- package/src/postprocess/contradictions.ts +128 -0
- package/src/postprocess/dedup.ts +62 -0
- package/src/{filtering → postprocess/filtering}/__tests__/pipeline.test.ts +1 -1
- package/src/{filtering → postprocess/filtering}/context-adjustments.ts +2 -2
- package/src/{filtering → postprocess/filtering}/pipeline.ts +2 -2
- package/src/postprocess/index.ts +118 -0
- package/src/{suppression → postprocess/suppression}/config-loader.ts +1 -1
- package/src/{suppression → postprocess/suppression}/hash.ts +1 -1
- package/src/{suppression → postprocess/suppression}/inline-parser.ts +1 -1
- package/src/{suppression → postprocess/suppression}/manager.ts +1 -1
- package/src/{suppression → postprocess/suppression}/types.ts +2 -2
- package/src/postprocess/validation-cap.ts +66 -0
- package/src/report/build-result.ts +94 -0
- package/src/report/enrichment.ts +52 -0
- package/src/{formatters → report/formatters}/ai-context.ts +1 -1
- package/src/{formatters → report/formatters}/cli-terminal.ts +11 -11
- package/src/{formatters → report/formatters}/github-comment.ts +1 -1
- package/src/{formatters → report/formatters}/grouping.ts +8 -8
- package/src/{formatters → report/formatters}/ide/claude-code.ts +1 -1
- package/src/{formatters → report/formatters}/ide/cursor.ts +1 -1
- package/src/{formatters → report/formatters}/ide/windsurf.ts +1 -1
- package/src/{formatters → report/formatters}/vscode-diagnostic.ts +1 -1
- package/src/report/summary.ts +70 -0
- package/src/score/adjustments.ts +387 -0
- package/src/{layer3/anthropic → score}/auto-dismiss.ts +15 -14
- package/src/score/confidence.ts +66 -0
- package/src/score/index.ts +316 -0
- package/src/score/types.ts +187 -0
- package/src/{baseline → shared/baseline}/__tests__/diff.test.ts +2 -2
- package/src/{baseline → shared/baseline}/diff.ts +1 -1
- package/src/{baseline → shared/baseline}/manager.ts +1 -1
- package/src/{category-filter.ts → shared/category-filter.ts} +1 -1
- package/src/{utils → shared}/code-analysis.ts +1 -1
- package/src/{rules → shared/rules}/__tests__/metadata.test.ts +7 -0
- package/src/{rules → shared/rules}/framework-fixes.ts +1 -1
- package/src/{rules → shared/rules}/metadata.ts +94 -0
- package/src/{types.ts → shared/types.ts} +23 -6
- package/src/tiers.ts +20 -3
- package/src/validate/__tests__/context-extractor.test.ts +191 -0
- package/src/validate/__tests__/prompt-assembly.test.ts +233 -0
- package/src/validate/__tests__/request-builder.test.ts +347 -0
- package/src/{layer3/anthropic → validate}/index.ts +8 -7
- package/src/{layer3/anthropic → validate}/prompts/index.ts +2 -0
- package/src/validate/prompts/modules/ai-patterns.ts +153 -0
- package/src/validate/prompts/modules/auth-access.ts +22 -0
- package/src/validate/prompts/modules/common.ts +183 -0
- package/src/validate/prompts/modules/index.ts +204 -0
- package/src/validate/prompts/modules/owasp-classic.ts +81 -0
- package/src/validate/prompts/modules/secrets-crypto.ts +65 -0
- package/src/validate/prompts/modules/xss-prompt.ts +19 -0
- package/src/validate/prompts/validation.ts +20 -0
- package/src/{layer3/anthropic → validate}/providers/anthropic.ts +28 -27
- package/src/validate/providers/index.ts +8 -0
- package/src/{layer3/anthropic → validate}/providers/openai.ts +30 -25
- package/src/validate/request-builder.ts +448 -0
- package/src/{layer3/anthropic → validate}/types.ts +1 -1
- package/src/validate/utils/context-extractor.ts +220 -0
- package/src/{layer3/anthropic → validate}/utils/index.ts +10 -0
- package/src/{layer3/anthropic → validate}/utils/response-parser.ts +2 -1
- package/src/layer3/anthropic/prompts/validation.ts +0 -419
- package/src/layer3/anthropic/providers/index.ts +0 -8
- package/src/layer3/anthropic/request-builder.ts +0 -150
- package/src/layer3/index.ts +0 -168
- /package/src/{layer3 → detect/config}/__tests__/osv-check.test.ts +0 -0
- /package/src/{layer2 → detect/structural}/__tests__/math-random-enhanced.test.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/child-process.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/helpers.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/index.ts +0 -0
- /package/src/{layer2 → detect/structural}/dangerous-functions/utils/schema-validation.ts +0 -0
- /package/src/{utils → model}/route-hierarchy.ts +0 -0
- /package/src/{filtering → postprocess/filtering}/index.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/config-loader.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/hash.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/inline-parser.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/__tests__/manager.test.ts +0 -0
- /package/src/{suppression → postprocess/suppression}/index.ts +0 -0
- /package/src/{formatters → report/formatters}/__tests__/ai-context.test.ts +0 -0
- /package/src/{formatters → report/formatters}/ide/__tests__/ide.test.ts +0 -0
- /package/src/{formatters → report/formatters}/ide/index.ts +0 -0
- /package/src/{formatters → report/formatters}/index.ts +0 -0
- /package/src/{utils → shared}/__tests__/code-analysis.test.ts +0 -0
- /package/src/{utils → shared}/__tests__/parsed-file.test.ts +0 -0
- /package/src/{ai-context → shared/ai-context}/__tests__/manager.test.ts +0 -0
- /package/src/{ai-context → shared/ai-context}/index.ts +0 -0
- /package/src/{ai-context → shared/ai-context}/manager.ts +0 -0
- /package/src/{baseline → shared/baseline}/__tests__/manager.test.ts +0 -0
- /package/src/{baseline → shared/baseline}/index.ts +0 -0
- /package/src/{baseline → shared/baseline}/types.ts +0 -0
- /package/src/{utils → shared}/comment-analyzer.ts +0 -0
- /package/src/{utils → shared}/diff-detector.ts +0 -0
- /package/src/{utils → shared}/diff-parser.ts +0 -0
- /package/src/{utils → shared}/environment-context.ts +0 -0
- /package/src/{utils → shared}/intent-detector.ts +0 -0
- /package/src/{utils → shared}/parsed-file.ts +0 -0
- /package/src/{utils → shared}/registry-clients.ts +0 -0
- /package/src/{rules → shared/rules}/__tests__/framework-fixes.test.ts +0 -0
- /package/src/{rules → shared/rules}/index.ts +0 -0
- /package/src/{utils → shared}/schema-semantics.ts +0 -0
- /package/src/{layer3/anthropic → validate}/clients.ts +0 -0
- /package/src/{layer3/anthropic → validate}/prompts/semantic-analysis.ts +0 -0
- /package/src/{layer3/anthropic → validate}/utils/path-helpers.ts +0 -0
- /package/src/{layer3/anthropic → validate}/utils/retry.ts +0 -0
|
@@ -8,17 +8,19 @@
|
|
|
8
8
|
* - Properly classifies public endpoints
|
|
9
9
|
*/
|
|
10
10
|
|
|
11
|
-
import type { Vulnerability, VulnerabilitySeverity } from '
|
|
12
|
-
import type { ParsedFile } from '
|
|
13
|
-
import type { MiddlewareAuthConfig } from '
|
|
14
|
-
import { isRouteProtectedByMiddleware, getRoutePathFromFile } from '
|
|
15
|
-
import type { AuthHelper, AuthHelperContext } from '
|
|
16
|
-
import { hasAuthHelperCallBefore, isUserIdAlreadyValidated } from '
|
|
17
|
-
import type { FileAuthImports } from '
|
|
18
|
-
import { isScannerOrFixtureFile } from '
|
|
19
|
-
import { getRouteProtectionContext, isAuthenticatedOnlyComponent } from '
|
|
20
|
-
import { is2FAOrValidation } from '
|
|
21
|
-
import { isPasswordErrorCode, hasPasswordValueInError } from '
|
|
11
|
+
import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
|
|
12
|
+
import type { ParsedFile } from '../../shared/parsed-file'
|
|
13
|
+
import type { MiddlewareAuthConfig } from '../../model/middleware-detector'
|
|
14
|
+
import { isRouteProtectedByMiddleware, getRoutePathFromFile } from '../../model/middleware-detector'
|
|
15
|
+
import type { AuthHelper, AuthHelperContext } from '../../model/auth-helper-detector'
|
|
16
|
+
import { hasAuthHelperCallBefore, isUserIdAlreadyValidated } from '../../model/auth-helper-detector'
|
|
17
|
+
import type { FileAuthImports } from '../../model/imported-auth-detector'
|
|
18
|
+
import { isScannerOrFixtureFile } from '../../parse/file-classifier'
|
|
19
|
+
import { getRouteProtectionContext, isAuthenticatedOnlyComponent } from '../../model/route-hierarchy'
|
|
20
|
+
import { is2FAOrValidation } from '../../shared/schema-semantics'
|
|
21
|
+
import { isPasswordErrorCode, hasPasswordValueInError } from '../../shared/intent-detector'
|
|
22
|
+
|
|
23
|
+
const BASE_CONFIDENCE = 0.40
|
|
22
24
|
|
|
23
25
|
interface AuthAntiPattern {
|
|
24
26
|
name: string
|
|
@@ -457,7 +459,9 @@ export function detectAuthAntipatterns(
|
|
|
457
459
|
description: `This route is within a protected route hierarchy (${routeHierarchy.protectionSource.join(', ')}). Authentication is likely handled by parent layout/middleware.`,
|
|
458
460
|
suggestedFix: 'Verify parent layout enforces authentication. If not, add auth check here.',
|
|
459
461
|
confidence: 'low',
|
|
462
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
460
463
|
layer: 2,
|
|
464
|
+
source: 'structural' as const,
|
|
461
465
|
})
|
|
462
466
|
break // Only report once per line
|
|
463
467
|
}
|
|
@@ -504,7 +508,9 @@ export function detectAuthAntipatterns(
|
|
|
504
508
|
description: 'This appears to be a public endpoint (health check, webhook, cron, etc.). Verify this is intentionally public and consider rate limiting if needed.',
|
|
505
509
|
suggestedFix: 'If this is a webhook or cron endpoint, ensure it has appropriate authentication (API keys, signatures, etc.). Health checks typically do not need auth.',
|
|
506
510
|
confidence: 'low',
|
|
511
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
507
512
|
layer: 2,
|
|
513
|
+
source: 'structural' as const,
|
|
508
514
|
})
|
|
509
515
|
break // Only report once per line
|
|
510
516
|
}
|
|
@@ -522,7 +528,9 @@ export function detectAuthAntipatterns(
|
|
|
522
528
|
description: pattern.description + ' (auth check detected in nearby lines)',
|
|
523
529
|
suggestedFix: pattern.suggestedFix,
|
|
524
530
|
confidence: 'low',
|
|
531
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
525
532
|
layer: 2,
|
|
533
|
+
source: 'structural' as const,
|
|
526
534
|
})
|
|
527
535
|
break // Only report once per line
|
|
528
536
|
}
|
|
@@ -543,7 +551,9 @@ export function detectAuthAntipatterns(
|
|
|
543
551
|
description: pattern.description,
|
|
544
552
|
suggestedFix: pattern.suggestedFix,
|
|
545
553
|
confidence,
|
|
554
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
546
555
|
layer: 2,
|
|
556
|
+
source: 'structural' as const,
|
|
547
557
|
})
|
|
548
558
|
break // Only report once per line
|
|
549
559
|
}
|
|
@@ -578,7 +588,9 @@ export function detectAuthAntipatterns(
|
|
|
578
588
|
description: 'Actual password value may be included in error message, exposing sensitive data.',
|
|
579
589
|
suggestedFix: 'Never include actual password values in error messages. Use error codes instead.',
|
|
580
590
|
confidence: 'high',
|
|
591
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
581
592
|
layer: 2,
|
|
593
|
+
source: 'structural' as const,
|
|
582
594
|
})
|
|
583
595
|
}
|
|
584
596
|
}
|
|
@@ -5,8 +5,8 @@
|
|
|
5
5
|
* This module orchestrates detection across multiple specialized modules.
|
|
6
6
|
*/
|
|
7
7
|
|
|
8
|
-
import type { Vulnerability, VulnerabilitySeverity } from '
|
|
9
|
-
import type { ParsedFile } from '
|
|
8
|
+
import type { Vulnerability, VulnerabilitySeverity } from '../../../shared/types'
|
|
9
|
+
import type { ParsedFile } from '../../../shared/parsed-file'
|
|
10
10
|
import {
|
|
11
11
|
isComment,
|
|
12
12
|
isTestOrMockFile,
|
|
@@ -15,7 +15,7 @@ import {
|
|
|
15
15
|
isDesktopAppContext,
|
|
16
16
|
isMcpServerContext,
|
|
17
17
|
isFileLoaderContext,
|
|
18
|
-
} from '
|
|
18
|
+
} from '../../../parse/file-classifier'
|
|
19
19
|
|
|
20
20
|
// Pattern definitions
|
|
21
21
|
import {
|
|
@@ -62,6 +62,8 @@ import { hasOnlyStaticInputs, hasPathTraversalProtection } from './utils/helpers
|
|
|
62
62
|
// Re-export types and patterns for external use
|
|
63
63
|
export { DANGEROUS_FUNCTIONS, type DangerousFunctionPattern } from './patterns'
|
|
64
64
|
|
|
65
|
+
const BASE_CONFIDENCE = 0.40
|
|
66
|
+
|
|
65
67
|
/**
|
|
66
68
|
* Main detection function for dangerous function calls
|
|
67
69
|
*/
|
|
@@ -331,8 +333,9 @@ function handleInnerHTMLPattern(
|
|
|
331
333
|
suggestedFix:
|
|
332
334
|
'Consider input validation, content filtering, or structured prompts to limit prompt injection risk.',
|
|
333
335
|
confidence: 'low',
|
|
336
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
334
337
|
layer: 2,
|
|
335
|
-
})
|
|
338
|
+
source: 'structural' as const, })
|
|
336
339
|
return
|
|
337
340
|
}
|
|
338
341
|
|
|
@@ -356,8 +359,9 @@ function handleInnerHTMLPattern(
|
|
|
356
359
|
(isTestFile ? ' (in test file)' : ''),
|
|
357
360
|
suggestedFix: funcPattern.suggestedFix,
|
|
358
361
|
confidence: isTestFile ? 'low' : 'high',
|
|
362
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
359
363
|
layer: 2,
|
|
360
|
-
requiresAIValidation: true, // Dynamic HTML needs validation
|
|
364
|
+
source: 'structural' as const, requiresAIValidation: true, // Dynamic HTML needs validation
|
|
361
365
|
})
|
|
362
366
|
}
|
|
363
367
|
|
|
@@ -410,8 +414,9 @@ function handleEvalPattern(
|
|
|
410
414
|
description: funcPattern.description,
|
|
411
415
|
suggestedFix: funcPattern.suggestedFix,
|
|
412
416
|
confidence: 'high',
|
|
417
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
413
418
|
layer: 2,
|
|
414
|
-
requiresAIValidation: true, // Code execution patterns need validation
|
|
419
|
+
source: 'structural' as const, requiresAIValidation: true, // Code execution patterns need validation
|
|
415
420
|
})
|
|
416
421
|
return true
|
|
417
422
|
}
|
|
@@ -500,8 +505,9 @@ function handleChildProcessPattern(
|
|
|
500
505
|
description: 'Shell command execution in build/tooling script with hardcoded command. Build scripts are developer-controlled.',
|
|
501
506
|
suggestedFix: 'Ensure this script is not exposed to untrusted input.',
|
|
502
507
|
confidence: 'low',
|
|
508
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
503
509
|
layer: 2,
|
|
504
|
-
})
|
|
510
|
+
source: 'structural' as const, })
|
|
505
511
|
return true
|
|
506
512
|
}
|
|
507
513
|
}
|
|
@@ -527,8 +533,9 @@ function handleChildProcessPattern(
|
|
|
527
533
|
suggestedFix:
|
|
528
534
|
'Ensure command arguments from IPC are validated against an allowlist.',
|
|
529
535
|
confidence: 'medium',
|
|
536
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
530
537
|
layer: 2,
|
|
531
|
-
})
|
|
538
|
+
source: 'structural' as const, })
|
|
532
539
|
return true
|
|
533
540
|
}
|
|
534
541
|
|
|
@@ -558,8 +565,9 @@ function handleChildProcessPattern(
|
|
|
558
565
|
description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
|
|
559
566
|
suggestedFix: funcPattern.suggestedFix,
|
|
560
567
|
confidence,
|
|
568
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
561
569
|
layer: 2,
|
|
562
|
-
})
|
|
570
|
+
source: 'structural' as const, })
|
|
563
571
|
return true
|
|
564
572
|
}
|
|
565
573
|
|
|
@@ -684,8 +692,9 @@ function handleSQLPattern(
|
|
|
684
692
|
description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
|
|
685
693
|
suggestedFix: funcPattern.suggestedFix,
|
|
686
694
|
confidence,
|
|
695
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
687
696
|
layer: 2,
|
|
688
|
-
})
|
|
697
|
+
source: 'structural' as const, })
|
|
689
698
|
}
|
|
690
699
|
|
|
691
700
|
/**
|
|
@@ -724,8 +733,9 @@ function handleFilePathPattern(
|
|
|
724
733
|
suggestedFix:
|
|
725
734
|
'Ensure file paths are validated and constrained to expected directories.',
|
|
726
735
|
confidence: 'low',
|
|
736
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
727
737
|
layer: 2,
|
|
728
|
-
})
|
|
738
|
+
source: 'structural' as const, })
|
|
729
739
|
return
|
|
730
740
|
}
|
|
731
741
|
|
|
@@ -783,8 +793,9 @@ function handleFilePathPattern(
|
|
|
783
793
|
suggestedFix:
|
|
784
794
|
'Ensure path normalization and base directory checks are applied consistently.',
|
|
785
795
|
confidence: 'low',
|
|
796
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
786
797
|
layer: 2,
|
|
787
|
-
})
|
|
798
|
+
source: 'structural' as const, })
|
|
788
799
|
return
|
|
789
800
|
}
|
|
790
801
|
|
|
@@ -832,8 +843,9 @@ function handleFilePathPattern(
|
|
|
832
843
|
suggestedFix:
|
|
833
844
|
'Verify paths come from trusted action inputs or environment variables.',
|
|
834
845
|
confidence: 'low',
|
|
846
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
835
847
|
layer: 2,
|
|
836
|
-
})
|
|
848
|
+
source: 'structural' as const, })
|
|
837
849
|
return
|
|
838
850
|
}
|
|
839
851
|
|
|
@@ -852,8 +864,9 @@ function handleFilePathPattern(
|
|
|
852
864
|
suggestedFix:
|
|
853
865
|
'Add path validation if accepting paths from untrusted sources.',
|
|
854
866
|
confidence: 'low',
|
|
867
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
855
868
|
layer: 2,
|
|
856
|
-
})
|
|
869
|
+
source: 'structural' as const, })
|
|
857
870
|
return
|
|
858
871
|
}
|
|
859
872
|
|
|
@@ -915,8 +928,9 @@ function handleFilePathPattern(
|
|
|
915
928
|
description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
|
|
916
929
|
suggestedFix: funcPattern.suggestedFix,
|
|
917
930
|
confidence,
|
|
931
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
918
932
|
layer: 2,
|
|
919
|
-
})
|
|
933
|
+
source: 'structural' as const, })
|
|
920
934
|
}
|
|
921
935
|
|
|
922
936
|
/**
|
|
@@ -1071,8 +1085,9 @@ function handleMathRandomPattern(
|
|
|
1071
1085
|
description,
|
|
1072
1086
|
suggestedFix,
|
|
1073
1087
|
confidence,
|
|
1088
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
1074
1089
|
layer: 2,
|
|
1075
|
-
})
|
|
1090
|
+
source: 'structural' as const, })
|
|
1076
1091
|
}
|
|
1077
1092
|
|
|
1078
1093
|
/**
|
|
@@ -1199,8 +1214,9 @@ function handlePythonSubprocessPattern(
|
|
|
1199
1214
|
'subprocess with list arguments (safer than shell=True). Some arguments contain variables or f-strings — verify they are validated.',
|
|
1200
1215
|
suggestedFix: 'Ensure dynamic arguments are validated and sanitized.',
|
|
1201
1216
|
confidence: 'low',
|
|
1217
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
1202
1218
|
layer: 2,
|
|
1203
|
-
})
|
|
1219
|
+
source: 'structural' as const, })
|
|
1204
1220
|
return
|
|
1205
1221
|
}
|
|
1206
1222
|
|
|
@@ -1242,8 +1258,9 @@ function handlePythonSubprocessPattern(
|
|
|
1242
1258
|
`subprocess called with variable '${varName}' which resolves to a list. List arguments prevent shell injection, but some elements are dynamic.`,
|
|
1243
1259
|
suggestedFix: 'Ensure dynamic list elements are validated and sanitized.',
|
|
1244
1260
|
confidence: 'low',
|
|
1261
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
1245
1262
|
layer: 2,
|
|
1246
|
-
})
|
|
1263
|
+
source: 'structural' as const, })
|
|
1247
1264
|
return
|
|
1248
1265
|
}
|
|
1249
1266
|
|
|
@@ -1260,8 +1277,9 @@ function handlePythonSubprocessPattern(
|
|
|
1260
1277
|
`subprocess called with variable '${varName}' — could not resolve its value nearby. If it is a list, shell injection risk is low.`,
|
|
1261
1278
|
suggestedFix: 'Verify the variable is a list (not a string) and arguments are validated.',
|
|
1262
1279
|
confidence: 'low',
|
|
1280
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
1263
1281
|
layer: 2,
|
|
1264
|
-
})
|
|
1282
|
+
source: 'structural' as const, })
|
|
1265
1283
|
return
|
|
1266
1284
|
}
|
|
1267
1285
|
|
|
@@ -1386,8 +1404,9 @@ function handleRegexPattern(
|
|
|
1386
1404
|
description: 'Dynamic regex from object property. If the regex source is app-defined (not user input), ReDoS risk is minimal.',
|
|
1387
1405
|
suggestedFix: 'Ensure regex patterns come from trusted, validated sources.',
|
|
1388
1406
|
confidence: 'low',
|
|
1407
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
1389
1408
|
layer: 2,
|
|
1390
|
-
})
|
|
1409
|
+
source: 'structural' as const, })
|
|
1391
1410
|
return
|
|
1392
1411
|
}
|
|
1393
1412
|
|
|
@@ -1407,8 +1426,9 @@ function handleRegexPattern(
|
|
|
1407
1426
|
description: 'Dynamic regex in array iteration. If iterating over app-defined data, ReDoS risk is minimal.',
|
|
1408
1427
|
suggestedFix: 'Ensure regex patterns come from trusted sources, not user input.',
|
|
1409
1428
|
confidence: 'low',
|
|
1429
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
1410
1430
|
layer: 2,
|
|
1411
|
-
})
|
|
1431
|
+
source: 'structural' as const, })
|
|
1412
1432
|
return
|
|
1413
1433
|
}
|
|
1414
1434
|
|
|
@@ -1426,8 +1446,9 @@ function handleRegexPattern(
|
|
|
1426
1446
|
'Dynamic regex with try-catch error handling. ReDoS attacks are contained but may still cause performance issues.',
|
|
1427
1447
|
suggestedFix: 'Consider using safe-regex library or adding timeout for regex operations.',
|
|
1428
1448
|
confidence: 'low',
|
|
1449
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
1429
1450
|
layer: 2,
|
|
1430
|
-
})
|
|
1451
|
+
source: 'structural' as const, })
|
|
1431
1452
|
return
|
|
1432
1453
|
}
|
|
1433
1454
|
|
|
@@ -1483,8 +1504,9 @@ function handleSpreadPattern(
|
|
|
1483
1504
|
description: 'Request body is spread but has schema validation. Schema validation strips unknown properties, reducing mass assignment risk.',
|
|
1484
1505
|
suggestedFix: 'Ensure schema validation is strict (no .passthrough() in Zod, no additionalProperties in JSON Schema).',
|
|
1485
1506
|
confidence: 'low',
|
|
1507
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
1486
1508
|
layer: 2,
|
|
1487
|
-
})
|
|
1509
|
+
source: 'structural' as const, })
|
|
1488
1510
|
return
|
|
1489
1511
|
}
|
|
1490
1512
|
|
|
@@ -1528,6 +1550,7 @@ function handleStandardPattern(
|
|
|
1528
1550
|
description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
|
|
1529
1551
|
suggestedFix: funcPattern.suggestedFix,
|
|
1530
1552
|
confidence,
|
|
1553
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
1531
1554
|
layer: 2,
|
|
1532
|
-
})
|
|
1555
|
+
source: 'structural' as const, })
|
|
1533
1556
|
}
|
|
@@ -5,11 +5,13 @@
|
|
|
5
5
|
* based on the data source and error handling context.
|
|
6
6
|
*/
|
|
7
7
|
|
|
8
|
-
import type { Vulnerability, VulnerabilitySeverity } from '
|
|
9
|
-
import { isComment, isTestOrMockFile } from '
|
|
8
|
+
import type { Vulnerability, VulnerabilitySeverity } from '../../../shared/types'
|
|
9
|
+
import { isComment, isTestOrMockFile } from '../../../parse/file-classifier'
|
|
10
10
|
import { isInsideTryCatch, hasTryCatchNearby } from './utils/control-flow'
|
|
11
11
|
import { hasSchemaValidationNearby } from './utils/schema-validation'
|
|
12
12
|
|
|
13
|
+
const BASE_CONFIDENCE = 0.35
|
|
14
|
+
|
|
13
15
|
/**
|
|
14
16
|
* JSON.parse source classification
|
|
15
17
|
* Determines if the input is user-controlled or internal data
|
|
@@ -339,7 +341,9 @@ export function detectJSONParseSafe(
|
|
|
339
341
|
description,
|
|
340
342
|
suggestedFix,
|
|
341
343
|
confidence,
|
|
344
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
342
345
|
layer: 2,
|
|
346
|
+
source: 'structural' as const,
|
|
343
347
|
})
|
|
344
348
|
})
|
|
345
349
|
|
|
@@ -362,7 +366,9 @@ export function detectJSONParseSafe(
|
|
|
362
366
|
suggestedFix:
|
|
363
367
|
'Add try-catch for error handling. If parsing user input, add schema validation.',
|
|
364
368
|
confidence: 'low',
|
|
369
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
365
370
|
layer: 2,
|
|
371
|
+
source: 'structural' as const,
|
|
366
372
|
})
|
|
367
373
|
} else if (instances.length > 0 && instances.length < 3) {
|
|
368
374
|
// Report individually for small counts
|
|
@@ -378,7 +384,9 @@ export function detectJSONParseSafe(
|
|
|
378
384
|
description: `JSON.parse on ${instance.source.replace('_', ' ')} data without error handling. Low risk but consider defensive coding.${isTestFile ? ' (in test file)' : ''}`,
|
|
379
385
|
suggestedFix: 'Consider adding try-catch for robustness.',
|
|
380
386
|
confidence: 'low',
|
|
387
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
381
388
|
layer: 2,
|
|
389
|
+
source: 'structural' as const,
|
|
382
390
|
})
|
|
383
391
|
}
|
|
384
392
|
}
|
|
@@ -9,8 +9,8 @@ import {
|
|
|
9
9
|
isTestOrMockFile,
|
|
10
10
|
isSeedOrDataGenFile,
|
|
11
11
|
isEducationalVulnerabilityFile,
|
|
12
|
-
} from '
|
|
13
|
-
import type { ParsedFile } from '
|
|
12
|
+
} from '../../../parse/file-classifier'
|
|
13
|
+
import type { ParsedFile } from '../../../shared/parsed-file'
|
|
14
14
|
import { extractFunctionContext } from './utils/control-flow'
|
|
15
15
|
|
|
16
16
|
/**
|
|
@@ -5,11 +5,13 @@
|
|
|
5
5
|
* proper schema validation.
|
|
6
6
|
*/
|
|
7
7
|
|
|
8
|
-
import type { Vulnerability } from '
|
|
9
|
-
import { isComment } from '
|
|
8
|
+
import type { Vulnerability } from '../../../shared/types'
|
|
9
|
+
import { isComment } from '../../../parse/file-classifier'
|
|
10
10
|
import { hasManualValidation } from './utils/schema-validation'
|
|
11
11
|
import { hasThrowingAuthHelper } from './utils/helpers'
|
|
12
12
|
|
|
13
|
+
const BASE_CONFIDENCE = 0.35
|
|
14
|
+
|
|
13
15
|
/**
|
|
14
16
|
* Detect request.json() / req.json() and suggest schema validation
|
|
15
17
|
* This is NOT a dangerous function - it's a prompt for best practices
|
|
@@ -102,7 +104,9 @@ export function detectRequestJsonValidation(
|
|
|
102
104
|
suggestedFix:
|
|
103
105
|
'While manual validation works, schema libraries provide better TypeScript integration and error messages.',
|
|
104
106
|
confidence: 'low',
|
|
107
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
105
108
|
layer: 2,
|
|
109
|
+
source: 'structural' as const,
|
|
106
110
|
})
|
|
107
111
|
return
|
|
108
112
|
}
|
|
@@ -122,7 +126,9 @@ export function detectRequestJsonValidation(
|
|
|
122
126
|
suggestedFix:
|
|
123
127
|
'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
|
|
124
128
|
confidence: 'low',
|
|
129
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
125
130
|
layer: 2,
|
|
131
|
+
source: 'structural' as const,
|
|
126
132
|
})
|
|
127
133
|
} else {
|
|
128
134
|
// Single instance
|
|
@@ -139,7 +145,9 @@ export function detectRequestJsonValidation(
|
|
|
139
145
|
suggestedFix:
|
|
140
146
|
'Add schema validation (e.g., zod): const body = await request.json(); const data = schema.parse(body);',
|
|
141
147
|
confidence: 'low',
|
|
148
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
142
149
|
layer: 2,
|
|
150
|
+
source: 'structural' as const,
|
|
143
151
|
})
|
|
144
152
|
}
|
|
145
153
|
}
|
|
@@ -6,8 +6,8 @@
|
|
|
6
6
|
* wrappers create a temporary ParsedFile to delegate to the shared implementation.
|
|
7
7
|
*/
|
|
8
8
|
|
|
9
|
-
import { ParsedFile } from '
|
|
10
|
-
import * as codeAnalysis from '
|
|
9
|
+
import { ParsedFile } from '../../../../shared/parsed-file'
|
|
10
|
+
import * as codeAnalysis from '../../../../shared/code-analysis'
|
|
11
11
|
|
|
12
12
|
/**
|
|
13
13
|
* Check if a line is inside a try-catch block
|
|
@@ -4,9 +4,11 @@
|
|
|
4
4
|
* Separates "logging concerns" from "response exposure" which have different risk profiles
|
|
5
5
|
*/
|
|
6
6
|
|
|
7
|
-
import type { Vulnerability, VulnerabilitySeverity } from '
|
|
8
|
-
import type { ParsedFile } from '
|
|
9
|
-
import { isComment, isTestOrMockFile, isScannerOrFixtureFile } from '
|
|
7
|
+
import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
|
|
8
|
+
import type { ParsedFile } from '../../shared/parsed-file'
|
|
9
|
+
import { isComment, isTestOrMockFile, isScannerOrFixtureFile } from '../../parse/file-classifier'
|
|
10
|
+
|
|
11
|
+
const BASE_CONFIDENCE = 0.40
|
|
10
12
|
|
|
11
13
|
interface DataExposurePattern {
|
|
12
14
|
name: string
|
|
@@ -217,7 +219,9 @@ export function detectDataExposure(
|
|
|
217
219
|
description,
|
|
218
220
|
suggestedFix: pattern.suggestedFix,
|
|
219
221
|
confidence: isTestFile ? 'low' : 'medium',
|
|
222
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
220
223
|
layer: 2,
|
|
224
|
+
source: 'structural' as const,
|
|
221
225
|
})
|
|
222
226
|
break // Only one finding per line
|
|
223
227
|
}
|
|
@@ -249,7 +253,9 @@ export function detectDataExposure(
|
|
|
249
253
|
description: `${patternSummary}. Review for sensitive data exposure.\n\nFound ${logFindings.length} occurrences at lines: ${lineNumbers.join(', ')}${moreText}`,
|
|
250
254
|
suggestedFix: 'Ensure logs have appropriate access controls and do not contain sensitive user data.',
|
|
251
255
|
confidence: 'low',
|
|
256
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
252
257
|
layer: 2,
|
|
258
|
+
source: 'structural' as const,
|
|
253
259
|
})
|
|
254
260
|
} else if (logFindings.length > 0) {
|
|
255
261
|
// Report individually for small counts
|
|
@@ -267,7 +273,9 @@ export function detectDataExposure(
|
|
|
267
273
|
description: pattern.description,
|
|
268
274
|
suggestedFix: pattern.suggestedFix,
|
|
269
275
|
confidence: 'low',
|
|
276
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
270
277
|
layer: 2,
|
|
278
|
+
source: 'structural' as const,
|
|
271
279
|
})
|
|
272
280
|
}
|
|
273
281
|
}
|
|
@@ -3,8 +3,8 @@
|
|
|
3
3
|
* Detects security issues specific to popular frameworks (Next.js, Express, React, etc.)
|
|
4
4
|
*/
|
|
5
5
|
|
|
6
|
-
import type { Vulnerability, VulnerabilitySeverity } from '
|
|
7
|
-
import type { ParsedFile } from '
|
|
6
|
+
import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
|
|
7
|
+
import type { ParsedFile } from '../../shared/parsed-file'
|
|
8
8
|
import {
|
|
9
9
|
isComment,
|
|
10
10
|
isServerOnlyFile,
|
|
@@ -12,7 +12,9 @@ import {
|
|
|
12
12
|
getServiceRoleKeyContext,
|
|
13
13
|
isTestOrMockFile,
|
|
14
14
|
isScannerOrFixtureFile,
|
|
15
|
-
} from '
|
|
15
|
+
} from '../../parse/file-classifier'
|
|
16
|
+
|
|
17
|
+
const BASE_CONFIDENCE = 0.20
|
|
16
18
|
|
|
17
19
|
interface FrameworkPattern {
|
|
18
20
|
name: string
|
|
@@ -75,14 +77,7 @@ const FRAMEWORK_PATTERNS: FrameworkPattern[] = [
|
|
|
75
77
|
},
|
|
76
78
|
|
|
77
79
|
// ==================== Express ====================
|
|
78
|
-
|
|
79
|
-
name: 'Express without helmet',
|
|
80
|
-
pattern: /express\s*\(\s*\)(?![\s\S]*helmet)/gi,
|
|
81
|
-
severity: 'medium',
|
|
82
|
-
description: 'Express app may lack security headers (helmet middleware)',
|
|
83
|
-
suggestedFix: 'Add helmet middleware: app.use(helmet())',
|
|
84
|
-
framework: 'express',
|
|
85
|
-
},
|
|
80
|
+
// NOTE: "Express without helmet" moved to security-headers.ts (OWASP Workstream 1)
|
|
86
81
|
{
|
|
87
82
|
name: 'Express CORS allow all',
|
|
88
83
|
pattern: /cors\s*\(\s*\{[^}]*origin\s*:\s*['"]\*['"]/gi,
|
|
@@ -396,7 +391,9 @@ export function detectFrameworkIssues(
|
|
|
396
391
|
description: adjustedDescription,
|
|
397
392
|
suggestedFix: pattern.suggestedFix,
|
|
398
393
|
confidence: adjustedConfidence,
|
|
394
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
399
395
|
layer: 2,
|
|
396
|
+
source: 'structural' as const,
|
|
400
397
|
requiresAIValidation,
|
|
401
398
|
})
|
|
402
399
|
break
|
|
@@ -429,7 +426,9 @@ export function detectFrameworkIssues(
|
|
|
429
426
|
description: isTestFile ? `${pattern.description} (in test file)` : pattern.description,
|
|
430
427
|
suggestedFix: pattern.suggestedFix,
|
|
431
428
|
confidence,
|
|
429
|
+
baseConfidence: BASE_CONFIDENCE,
|
|
432
430
|
layer: 2,
|
|
431
|
+
source: 'structural' as const,
|
|
433
432
|
})
|
|
434
433
|
break // Only report once per line
|
|
435
434
|
}
|