@oculum/scanner 1.0.13 → 1.0.15

package/src/detect/structural/logic-gates.ts

@@ -1,256 +0,0 @@
-/**
- * Layer 2: Logic Gates Detection
- * Identifies security bypass patterns and dangerous logic flows
- */
-
-import type { Vulnerability } from '../../shared/types'
-import type { ParsedFile } from '../../shared/parsed-file'
-import { isScannerOrFixtureFile } from '../../parse/file-classifier'
-import { isDisabledAuthComment } from '../../shared/comment-analyzer'
-import { isReactStateSetter, isActualRedirect } from '../../shared/intent-detector'
-
-const BASE_CONFIDENCE = 0.20
-
-interface LogicPattern {
-  name: string
-  pattern: RegExp
-  severity: 'critical' | 'high' | 'medium' | 'low'
-  description: string
-  suggestedFix: string
-}
-
-// Patterns for security bypass logic
-const LOGIC_PATTERNS: LogicPattern[] = [
-  // Development mode bypasses
-  {
-    name: 'Development mode security bypass',
-    pattern: /if\s*\(\s*process\.env\.NODE_ENV\s*[!=]==?\s*['"]production['"]\s*\)\s*(return\s+true|return\s*;|continue|break)/gi,
-    severity: 'high',
-    description: 'Security check bypassed in non-production environments',
-    suggestedFix: 'Remove development-only bypasses or ensure they cannot be triggered in production',
-  },
-  {
-    name: 'Development mode auth skip',
-    pattern: /if\s*\(\s*process\.env\.NODE_ENV\s*[!=]==?\s*['"]development['"]\s*\)/gi,
-    severity: 'medium',
-    description: 'Code path that only runs in development - verify no security implications',
-    suggestedFix: 'Ensure this development-only code does not bypass security controls',
-  },
-  // Auth bypasses
-  {
-    name: 'Authentication bypass pattern',
-    pattern: /if\s*\(\s*(true|1|!false)\s*\)\s*{\s*(return|next|resolve)/gi,
-    severity: 'critical',
-    description: 'Hardcoded truthy condition may bypass authentication',
-    suggestedFix: 'Remove hardcoded bypass and implement proper authentication check',
-  },
-  // NOTE: 'Commented auth check' pattern has been replaced with smart comment analysis
-  // The isDisabledAuthComment() function distinguishes explanatory comments from disabled code
-  // This is handled specially in detectLogicGates() below
-  // Skip validation patterns
-  {
-    name: 'Validation skip',
-    pattern: /skipValidation\s*[=:]\s*true|validate\s*[=:]\s*false|noValidate\s*[=:]\s*true/gi,
-    severity: 'high',
-    description: 'Input validation explicitly disabled',
-    suggestedFix: 'Enable validation or ensure this is intentional and documented',
-  },
-  // Debug/test bypasses
-  {
-    name: 'Debug bypass',
-    pattern: /if\s*\(\s*(DEBUG|TEST|SKIP_AUTH|BYPASS|DISABLE_AUTH)\s*\)/gi,
-    severity: 'high',
-    description: 'Debug/test flag may bypass security controls',
-    suggestedFix: 'Remove debug bypasses before deploying to production',
-  },
-  // Unsafe defaults
-  {
-    name: 'Unsafe default allow',
-    pattern: /default\s*:\s*(return\s+true|allow|permit|grant)/gi,
-    severity: 'medium',
-    description: 'Default case allows access - should default to deny',
-    suggestedFix: 'Change default behavior to deny access (fail-safe defaults)',
-  },
-  // Empty catch blocks
-  {
-    name: 'Empty error handler',
-    pattern: /catch\s*\([^)]*\)\s*{\s*(\/\/.*)?}/gi,
-    severity: 'medium',
-    description: 'Empty catch block may hide security errors',
-    suggestedFix: 'Log the error or handle it appropriately',
-  },
-  // Disabled security features
-  {
-    name: 'Disabled CSRF protection',
-    pattern: /csrf\s*[=:]\s*false|disableCsrf|csrfProtection\s*[=:]\s*false/gi,
-    severity: 'high',
-    description: 'CSRF protection explicitly disabled',
-    suggestedFix: 'Enable CSRF protection for state-changing requests',
-  },
-  {
-    name: 'Disabled SSL verification',
-    pattern: /rejectUnauthorized\s*[=:]\s*false|verify\s*[=:]\s*false|ssl\s*[=:]\s*false|NODE_TLS_REJECT_UNAUTHORIZED/gi,
-    severity: 'critical',
-    description: 'SSL/TLS certificate verification disabled',
-    suggestedFix: 'Enable SSL verification to prevent man-in-the-middle attacks',
-  },
-  // Insecure comparisons - ONLY flag actual secret comparisons
-  // Timing attacks are only relevant when comparing cryptographic secrets
-  // Do NOT flag: error codes, UI state, null checks, empty strings, route IDs, type checks
-  {
-    name: 'Timing attack vulnerable comparison',
-    // Only match explicit secret-related variable names being compared with ===
-    // This avoids flagging general string comparisons which are not timing-sensitive
-    pattern: /\b(password|secret|token|apiKey|api_key|credential|hash|digest|signature|privateKey|private_key|secretKey|secret_key)\s*===?\s*['"][^'"]+['"]/gi,
-    severity: 'medium',
-    description: 'Direct comparison of secret value may be vulnerable to timing attacks',
-    suggestedFix: 'Use constant-time comparison for secrets (e.g., crypto.timingSafeEqual)',
-  },
-  // Unsafe redirects - NOTE: Now uses intent detection to distinguish from React state setters
-  // The pattern is checked, but isReactStateSetter() is used to skip false positives
-  {
-    name: 'Open redirect vulnerability',
-    pattern: /redirect\s*\(\s*(req\.(query|params|body)\.|request\.|url\.)/gi,
-    severity: 'high',
-    description: 'Redirect URL from user input may allow open redirect attacks',
-    suggestedFix: 'Validate redirect URLs against an allowlist of trusted domains',
-  },
-  // Admin/superuser bypasses
-  {
-    name: 'Admin bypass pattern',
-    pattern: /if\s*\(\s*(isAdmin|isSuperUser|isRoot|role\s*===?\s*['"]admin['"])\s*\)\s*(return|continue|break)/gi,
-    severity: 'medium',
-    description: 'Admin role bypasses normal security checks',
-    suggestedFix: 'Ensure admin bypass is intentional and properly audited',
-  },
-]
-
-// Check if line is a comment
-function isComment(line: string): boolean {
-  const trimmed = line.trim()
-  return (
-    trimmed.startsWith('//') ||
-    trimmed.startsWith('#') ||
-    trimmed.startsWith('*') ||
-    trimmed.startsWith('/*')
-  )
-}
-
-export function detectLogicGates(
-  content: string,
-  filePath: string,
-  options?: { parsed?: ParsedFile }
-): Vulnerability[] {
-  const vulnerabilities: Vulnerability[] = []
-
-  // Skip scanner/fixture files to avoid self-detection
-  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
-
-  const lines = options?.parsed?.lines ?? content.split('\n')
-
-  // Check each line against patterns
-  lines.forEach((line, index) => {
-    // Skip comment lines (handled separately below for auth comments)
-    if (isComment(line)) {
-      return
-    }
-
-    for (const logicPattern of LOGIC_PATTERNS) {
-      const regex = new RegExp(logicPattern.pattern.source, logicPattern.pattern.flags)
-
-      if (regex.test(line)) {
-        // Special handling for redirect patterns - check if it's actually a React state setter
-        if (logicPattern.name === 'Open redirect vulnerability') {
-          if (isReactStateSetter(line)) {
-            // This is a React state setter like setState(), not a redirect
-            continue
-          }
-          if (!isActualRedirect(line)) {
-            // This doesn't look like an actual redirect function
-            continue
-          }
-        }
-
-        vulnerabilities.push({
-          id: `logic-${filePath}-${index + 1}-${logicPattern.name}`,
-          filePath,
-          lineNumber: index + 1,
-          lineContent: line.trim(),
-          severity: logicPattern.severity,
-          category: 'security_bypass',
-          title: logicPattern.name,
-          description: logicPattern.description,
-          suggestedFix: logicPattern.suggestedFix,
-          confidence: 'medium',
-          baseConfidence: BASE_CONFIDENCE,
-          layer: 2,
-        source: 'structural' as const,
-        })
-        break // Only report once per line
-      }
-    }
-  })
-
-  // Smart comment analysis for disabled auth patterns
-  // Only flag comments that are genuinely disabled code, not explanatory comments
-  lines.forEach((line, index) => {
-    // Check if this is a comment line with auth-related content
-    if (isComment(line) && /auth|permission|verify|check|token/i.test(line)) {
-      // Use smart analysis to determine if this is disabled code
-      if (isDisabledAuthComment(lines, index)) {
-        vulnerabilities.push({
-          id: `logic-${filePath}-${index + 1}-commented-auth-check`,
-          filePath,
-          lineNumber: index + 1,
-          lineContent: line.trim(),
-          severity: 'high',
-          category: 'security_bypass',
-          title: 'Commented auth check',
-          description: 'Commented out authentication/authorization code detected. This may indicate disabled security controls.',
-          suggestedFix: 'Remove commented code or restore the security check',
-          confidence: 'medium',
-          baseConfidence: BASE_CONFIDENCE,
-          layer: 2,
-        source: 'structural' as const,
-        })
-      }
-    }
-  })
-
-  // Multi-line pattern detection (for more complex patterns)
-  const multiLineFindings = detectMultiLinePatterns(content, filePath)
-  vulnerabilities.push(...multiLineFindings)
-
-  return vulnerabilities
-}
-
-// Detect patterns that span multiple lines
-function detectMultiLinePatterns(content: string, filePath: string): Vulnerability[] {
-  const vulnerabilities: Vulnerability[] = []
-  const lines = content.split('\n')
-
-  // Detect try-catch with empty or minimal error handling
-  const tryCatchPattern = /try\s*{[\s\S]*?}\s*catch\s*\([^)]*\)\s*{\s*(\n\s*)*(\/\/[^\n]*)?\s*}/g
-  let match
-
-  while ((match = tryCatchPattern.exec(content)) !== null) {
-    const lineNumber = content.substring(0, match.index).split('\n').length
-    vulnerabilities.push({
-      id: `logic-multiline-${filePath}-${lineNumber}`,
-      filePath,
-      lineNumber,
-      lineContent: lines[lineNumber - 1]?.trim() || 'try {',
-      severity: 'medium',
-      category: 'security_bypass',
-      title: 'Silent error handling',
-      description: 'Try-catch block with minimal error handling may hide security issues',
-      suggestedFix: 'Log errors appropriately and handle them based on type',
-      confidence: 'low',
-      baseConfidence: BASE_CONFIDENCE,
-      layer: 2,
-        source: 'structural' as const,
-    })
-  }
-
-  return vulnerabilities
-}

package/src/detect/structural/risky-imports.ts

@@ -1,197 +0,0 @@
-/**
- * Layer 2: Risky Import/Package Analysis
- * Detects imports of packages known to have security concerns or deprecated
- */
-
-import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
-import type { ParsedFile } from '../../shared/parsed-file'
-import { isScannerOrFixtureFile } from '../../parse/file-classifier'
-
-const BASE_CONFIDENCE = 0.20
-
-interface RiskyPackage {
-  name: string
-  pattern: RegExp
-  severity: VulnerabilitySeverity
-  description: string
-  suggestedFix: string
-}
-
-const RISKY_PACKAGES: RiskyPackage[] = [
-  // Known vulnerable or deprecated packages
-  {
-    name: 'request (deprecated)',
-    pattern: /require\s*\(\s*['"]request['"]\s*\)|from\s+['"]request['"]/gi,
-    severity: 'medium',
-    description: 'The "request" package is deprecated and no longer maintained',
-    suggestedFix: 'Migrate to fetch, axios, or node-fetch',
-  },
-  {
-    name: 'node-uuid (deprecated)',
-    pattern: /require\s*\(\s*['"]node-uuid['"]\s*\)|from\s+['"]node-uuid['"]/gi,
-    severity: 'low',
-    description: 'node-uuid is deprecated in favor of uuid package',
-    suggestedFix: 'Use the "uuid" package instead',
-  },
-  
-  // Packages with known security issues
-  {
-    name: 'lodash (full import)',
-    pattern: /require\s*\(\s*['"]lodash['"]\s*\)|import\s+\*?\s*(?:as\s+)?\w+\s+from\s+['"]lodash['"]/gi,
-    severity: 'low',
-    description: 'Full lodash import increases bundle size and attack surface',
-    suggestedFix: 'Import specific functions: import get from "lodash/get"',
-  },
-  {
-    name: 'moment.js (deprecated)',
-    pattern: /require\s*\(\s*['"]moment['"]\s*\)|from\s+['"]moment['"]/gi,
-    severity: 'low',
-    description: 'Moment.js is in maintenance mode, consider alternatives',
-    suggestedFix: 'Use date-fns, dayjs, or native Intl APIs',
-  },
-  
-  // Security-focused sandbox packages - info only (these are used for security, not risky)
-  {
-    name: 'vm2 (sandbox)',
-    pattern: /require\s*\(\s*['"]vm2['"]\s*\)|from\s+['"]vm2['"]/gi,
-    severity: 'info',
-    description: 'vm2 is a sandboxing library. While it has had sandbox escape vulnerabilities historically, using it is generally safer than running untrusted code directly. Keep vm2 updated.',
-    suggestedFix: 'Keep vm2 updated to the latest version. For maximum isolation, consider isolated-vm or running in a separate process.',
-  },
-  {
-    name: 'serialize-javascript (RCE risk)',
-    pattern: /require\s*\(\s*['"]serialize-javascript['"]\s*\)|from\s+['"]serialize-javascript['"]/gi,
-    severity: 'medium',
-    description: 'serialize-javascript can be dangerous if output is not properly handled',
-    suggestedFix: 'Ensure serialized output is not directly executed or use JSON.stringify',
-  },
-  
-  // Crypto-related risky imports
-  {
-    name: 'crypto-js (outdated patterns)',
-    pattern: /require\s*\(\s*['"]crypto-js['"]\s*\)|from\s+['"]crypto-js['"]/gi,
-    severity: 'low',
-    description: 'crypto-js may use outdated crypto patterns',
-    suggestedFix: 'Prefer Node.js built-in crypto module or Web Crypto API',
-  },
-  {
-    name: 'bcrypt-nodejs (deprecated)',
-    pattern: /require\s*\(\s*['"]bcrypt-nodejs['"]\s*\)|from\s+['"]bcrypt-nodejs['"]/gi,
-    severity: 'medium',
-    description: 'bcrypt-nodejs is deprecated and unmaintained',
-    suggestedFix: 'Use bcrypt or bcryptjs instead',
-  },
-  
-  // SQL/Database risky patterns
-  {
-    name: 'mysql (prefer mysql2)',
-    pattern: /require\s*\(\s*['"]mysql['"]\s*\)|from\s+['"]mysql['"]/gi,
-    severity: 'low',
-    description: 'mysql package is less maintained than mysql2',
-    suggestedFix: 'Consider using mysql2 for better security and performance',
-  },
-  
-  // Python risky imports
-  {
-    name: 'pickle (unsafe deserialization)',
-    pattern: /^import\s+pickle|^from\s+pickle\s+import/gim,
-    severity: 'high',
-    description: 'pickle can execute arbitrary code during deserialization',
-    suggestedFix: 'Use JSON or other safe serialization formats for untrusted data',
-  },
-  {
-    name: 'yaml unsafe load',
-    pattern: /yaml\.load\s*\([^)]*\)(?!.*Loader)/gi,
-    severity: 'high',
-    description: 'yaml.load without Loader parameter can execute arbitrary code',
-    suggestedFix: 'Use yaml.safe_load() or specify Loader=yaml.SafeLoader',
-  },
-  {
-    name: 'subprocess shell=True',
-    pattern: /subprocess\.(call|run|Popen|check_output)\s*\([^)]*shell\s*=\s*True/gi,
-    severity: 'high',
-    description: 'subprocess with shell=True is vulnerable to shell injection',
-    suggestedFix: 'Use shell=False and pass arguments as a list',
-  },
-  
-  // Telemetry/tracking packages (privacy concern)
-  {
-    name: 'Analytics package',
-    pattern: /require\s*\(\s*['"](analytics|segment|mixpanel|amplitude)['"]\s*\)|from\s+['"](analytics|segment|mixpanel|amplitude)['"]/gi,
-    severity: 'low',
-    description: 'Analytics package detected - ensure user consent is obtained',
-    suggestedFix: 'Implement proper consent mechanisms for user tracking',
-  },
-  
-  // Outdated/vulnerable web frameworks
-  {
-    name: 'express-jwt (CVE history)',
-    pattern: /require\s*\(\s*['"]express-jwt['"]\s*\)|from\s+['"]express-jwt['"]/gi,
-    severity: 'medium',
-    description: 'express-jwt has had security vulnerabilities - ensure latest version',
-    suggestedFix: 'Update to latest version and consider jose or jsonwebtoken directly',
-  },
-  
-  // Dangerous native modules
-  {
-    name: 'node-gyp native module',
-    pattern: /require\s*\(\s*['"]node-gyp['"]\s*\)|from\s+['"]node-gyp['"]/gi,
-    severity: 'low',
-    description: 'Native modules can introduce platform-specific vulnerabilities',
-    suggestedFix: 'Audit native dependencies and keep them updated',
-  },
-]
-
-// Check if line is a comment
-function isComment(line: string): boolean {
-  const trimmed = line.trim()
-  return (
-    trimmed.startsWith('//') ||
-    trimmed.startsWith('#') ||
-    trimmed.startsWith('*') ||
-    trimmed.startsWith('/*')
-  )
-}
-
-export function detectRiskyImports(
-  content: string,
-  filePath: string,
-  options?: { parsed?: ParsedFile }
-): Vulnerability[] {
-  const vulnerabilities: Vulnerability[] = []
-
-  // Skip scanner/fixture files to avoid self-detection
-  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
-
-  const lines = options?.parsed?.lines ?? content.split('\n')
-
-  lines.forEach((line, index) => {
-    // Skip comment lines
-    if (isComment(line)) return
-
-    for (const pkg of RISKY_PACKAGES) {
-      const regex = new RegExp(pkg.pattern.source, pkg.pattern.flags)
-      
-      if (regex.test(line)) {
-        vulnerabilities.push({
-          id: `risky-import-${filePath}-${index + 1}-${pkg.name}`,
-          filePath,
-          lineNumber: index + 1,
-          lineContent: line.trim(),
-          severity: pkg.severity,
-          category: 'suspicious_package',
-          title: `Risky package: ${pkg.name}`,
-          description: pkg.description,
-          suggestedFix: pkg.suggestedFix,
-          confidence: 'high',
-          baseConfidence: BASE_CONFIDENCE,
-          layer: 2,
-        source: 'structural' as const,
-        })
-        break // Only report once per line
-      }
-    }
-  })
-
-  return vulnerabilities
-}

package/src/detect/structural/security-headers.ts

@@ -1,231 +0,0 @@
-/**
- * Layer 2: Security Headers Detector
- * Detects missing HTTP security headers in server configurations
- *
- * OWASP A02:2021 - Cryptographic Failures / Security Misconfiguration
- * CWE-693: Protection Mechanism Failure
- */
-
-import type { Vulnerability } from '../../shared/types'
-import type { ParsedFile } from '../../shared/parsed-file'
-import {
-  isTestOrMockFile,
-  isScannerOrFixtureFile,
-} from '../../parse/file-classifier'
-
-const BASE_CONFIDENCE = 0.35
-
-interface SecurityHeadersOptions {
-  parsed?: ParsedFile
-}
-
-/**
- * Check if a file is client-side (not a server file)
- */
-function isClientSideFile(content: string, filePath: string): boolean {
-  // Explicit 'use client' directive
-  if (/['"]use client['"]/.test(content)) return true
-
-  // Client-side file paths
-  const clientPatterns = [
-    /\/components\//i,
-    /\/hooks\//i,
-    /\/pages\/(?!api\/)/i, // pages/ but not pages/api/
-    /\.client\.(ts|js|tsx|jsx)$/i,
-  ]
-
-  // Only apply path heuristics if no server indicators
-  if (clientPatterns.some(p => p.test(filePath))) {
-    // Check for server indicators that override
-    const hasServerIndicators =
-      content.includes('express()') ||
-      content.includes("require('express')") ||
-      content.includes('from \'express\'') ||
-      content.includes('from "express"') ||
-      content.includes('createServer') ||
-      /['"]use server['"]/.test(content)
-    if (!hasServerIndicators) return true
-  }
-
-  return false
-}
-
-/**
- * Check if a file is a Next.js config file
- */
-function isNextConfig(filePath: string): boolean {
-  return /next\.config\.(m?js|ts)$/.test(filePath)
-}
-
-/**
- * Detect missing security headers in server configurations
- */
-export function detectSecurityHeaders(
-  content: string,
-  filePath: string,
-  options?: SecurityHeadersOptions
-): Vulnerability[] {
-  const vulnerabilities: Vulnerability[] = []
-
-  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
-  if (isTestOrMockFile(filePath)) return vulnerabilities
-  if (isClientSideFile(content, filePath)) return vulnerabilities
-
-  const lines = options?.parsed?.lines ?? content.split('\n')
-
-  // --- Check 1: Express without helmet ---
-  const hasExpress =
-    content.includes('express()') ||
-    /require\s*\(\s*['"]express['"]\s*\)/.test(content) ||
-    /from\s+['"]express['"]/.test(content)
-
-  if (hasExpress) {
-    const hasHelmet =
-      /require\s*\(\s*['"]helmet['"]\s*\)/.test(content) ||
-      /from\s+['"]helmet['"]/.test(content) ||
-      /require\s*\(\s*['"]@fastify\/helmet['"]\s*\)/.test(content) ||
-      /from\s+['"]@fastify\/helmet['"]/.test(content)
-
-    if (!hasHelmet) {
-      // Find the line where express() is called
-      let expressLine = 0
-      let expressContent = ''
-      for (let i = 0; i < lines.length; i++) {
-        if (/express\s*\(\s*\)/.test(lines[i])) {
-          expressLine = i + 1
-          expressContent = lines[i].trim()
-          break
-        }
-      }
-
-      if (expressLine > 0) {
-        vulnerabilities.push({
-          id: `secheader-${filePath}-express-no-helmet`,
-          filePath,
-          lineNumber: expressLine,
-          lineContent: expressContent,
-          severity: 'medium',
-          category: 'missing_security_headers',
-          title: 'Express app without helmet security headers',
-          description:
-            'Express application does not use helmet middleware. This leaves the app without critical HTTP security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).',
-          suggestedFix: 'Install and add helmet middleware: npm install helmet && app.use(helmet())',
-          confidence: 'high',
-          baseConfidence: BASE_CONFIDENCE,
-          layer: 2,
-        source: 'structural' as const,
-          requiresAIValidation: true,
-        })
-      }
-    } else {
-      // --- Check 2: Helmet with CSP disabled ---
-      for (let i = 0; i < lines.length; i++) {
-        const line = lines[i]
-        if (/contentSecurityPolicy\s*:\s*false/.test(line)) {
-          vulnerabilities.push({
-            id: `secheader-${filePath}-${i + 1}-csp-disabled`,
-            filePath,
-            lineNumber: i + 1,
-            lineContent: line.trim(),
-            severity: 'low',
-            category: 'missing_security_headers',
-            title: 'Helmet CSP disabled',
-            description:
-              'Content Security Policy is explicitly disabled in helmet configuration. CSP is a critical defense against XSS attacks.',
-            suggestedFix:
-              'Configure a Content Security Policy instead of disabling it: helmet({ contentSecurityPolicy: { directives: { ... } } })',
-            confidence: 'high',
-            baseConfidence: BASE_CONFIDENCE,
-            layer: 2,
-        source: 'structural' as const,
-          })
-        }
-      }
-    }
-  }
-
-  // --- Check 3: Next.js config missing headers ---
-  if (isNextConfig(filePath)) {
-    const hasHeadersExport =
-      /headers\s*\(\s*\)/.test(content) ||
-      /headers\s*:\s*(?:async\s*)?\(?\s*\)?\s*=>/.test(content) ||
-      /async\s+headers\s*\(\s*\)/.test(content)
-
-    if (!hasHeadersExport) {
-      vulnerabilities.push({
-        id: `secheader-${filePath}-nextjs-no-headers`,
-        filePath,
-        lineNumber: 1,
-        lineContent: lines[0]?.trim() || '',
-        severity: 'medium',
-        category: 'missing_security_headers',
-        title: 'Next.js config missing security headers',
-        description:
-          'next.config does not export a headers() function. Security headers (CSP, HSTS, X-Frame-Options) should be configured in Next.js config or middleware.',
-        suggestedFix:
-          'Add a headers() function to next.config.js that returns security headers array',
-        confidence: 'medium',
-        baseConfidence: BASE_CONFIDENCE,
-        layer: 2,
-        source: 'structural' as const,
-        requiresAIValidation: true,
-      })
-    }
-  }
-
-  // --- Check 4: Server setting some headers but missing critical ones ---
-  // Only check files that explicitly set response headers
-  const setsHeaders =
-    /res\.setHeader\s*\(/.test(content) ||
-    /response\.setHeader\s*\(/.test(content) ||
-    /res\.set\s*\(/.test(content) ||
-    /response\.headers\.set\s*\(/.test(content)
-
-  if (setsHeaders && !hasExpress) {
-    const criticalHeaders = [
-      { name: 'Content-Security-Policy', pattern: /content-security-policy/i },
-      { name: 'Strict-Transport-Security', pattern: /strict-transport-security/i },
-      { name: 'X-Content-Type-Options', pattern: /x-content-type-options/i },
-      { name: 'X-Frame-Options', pattern: /x-frame-options/i },
-    ]
-
-    const missingHeaders = criticalHeaders.filter(h => !h.pattern.test(content))
-
-    // Only flag if file sets SOME headers but omits critical ones
-    const presentHeaders = criticalHeaders.filter(h => h.pattern.test(content))
-    if (presentHeaders.length > 0 && missingHeaders.length > 0) {
-      // Find a line where headers are being set for reporting
-      let headerLine = 0
-      let headerContent = ''
-      for (let i = 0; i < lines.length; i++) {
-        if (/(?:res|response)\.(?:setHeader|set|headers\.set)\s*\(/.test(lines[i])) {
-          headerLine = i + 1
-          headerContent = lines[i].trim()
-          break
-        }
-      }
-
-      if (headerLine > 0) {
-        const missing = missingHeaders.map(h => h.name).join(', ')
-        vulnerabilities.push({
-          id: `secheader-${filePath}-${headerLine}-missing-headers`,
-          filePath,
-          lineNumber: headerLine,
-          lineContent: headerContent,
-          severity: 'low',
-          category: 'missing_security_headers',
-          title: 'Incomplete security headers',
-          description: `Server sets some response headers but is missing: ${missing}. Consider adding these critical security headers.`,
-          suggestedFix: `Add missing security headers: ${missing}`,
-          confidence: 'medium',
-          baseConfidence: BASE_CONFIDENCE,
-          layer: 2,
-        source: 'structural' as const,
-          requiresAIValidation: true,
-        })
-      }
-    }
-  }
-
-  return vulnerabilities
-}