@oculum/scanner 1.0.14 → 1.0.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/detect/ai-code/index.d.ts +6 -11
- package/dist/detect/ai-code/index.d.ts.map +1 -1
- package/dist/detect/ai-code/index.js +6 -24
- package/dist/detect/ai-code/index.js.map +1 -1
- package/dist/detect/ast-rules/agent-tools-ast.d.ts +14 -0
- package/dist/detect/ast-rules/agent-tools-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/agent-tools-ast.js +809 -0
- package/dist/detect/ast-rules/agent-tools-ast.js.map +1 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.d.ts +14 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.js +344 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.js.map +1 -0
- package/dist/detect/ast-rules/auth-patterns-ast.d.ts +14 -0
- package/dist/detect/ast-rules/auth-patterns-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/auth-patterns-ast.js +280 -0
- package/dist/detect/ast-rules/auth-patterns-ast.js.map +1 -0
- package/dist/detect/ast-rules/byok-ast.d.ts +13 -0
- package/dist/detect/ast-rules/byok-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/byok-ast.js +180 -0
- package/dist/detect/ast-rules/byok-ast.js.map +1 -0
- package/dist/detect/ast-rules/child-process-ast.d.ts +13 -0
- package/dist/detect/ast-rules/child-process-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/child-process-ast.js +252 -0
- package/dist/detect/ast-rules/child-process-ast.js.map +1 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.d.ts +13 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.js +218 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.js.map +1 -0
- package/dist/detect/ast-rules/data-exposure-ast.d.ts +13 -0
- package/dist/detect/ast-rules/data-exposure-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/data-exposure-ast.js +158 -0
- package/dist/detect/ast-rules/data-exposure-ast.js.map +1 -0
- package/dist/detect/ast-rules/dom-xss-ast.d.ts +14 -0
- package/dist/detect/ast-rules/dom-xss-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/dom-xss-ast.js +217 -0
- package/dist/detect/ast-rules/dom-xss-ast.js.map +1 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.d.ts +13 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.js +228 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.js.map +1 -0
- package/dist/detect/ast-rules/entropy-ast.d.ts +17 -0
- package/dist/detect/ast-rules/entropy-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/entropy-ast.js +265 -0
- package/dist/detect/ast-rules/entropy-ast.js.map +1 -0
- package/dist/detect/ast-rules/flask-debug-ast.d.ts +10 -0
- package/dist/detect/ast-rules/flask-debug-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/flask-debug-ast.js +125 -0
- package/dist/detect/ast-rules/flask-debug-ast.js.map +1 -0
- package/dist/detect/ast-rules/framework-checks-ast.d.ts +13 -0
- package/dist/detect/ast-rules/framework-checks-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/framework-checks-ast.js +185 -0
- package/dist/detect/ast-rules/framework-checks-ast.js.map +1 -0
- package/dist/detect/ast-rules/helpers/call-analysis.d.ts +62 -0
- package/dist/detect/ast-rules/helpers/call-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/call-analysis.js +217 -0
- package/dist/detect/ast-rules/helpers/call-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/context-detection.d.ts +33 -0
- package/dist/detect/ast-rules/helpers/context-detection.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/context-detection.js +256 -0
- package/dist/detect/ast-rules/helpers/context-detection.js.map +1 -0
- package/dist/detect/ast-rules/helpers/control-flow.d.ts +40 -0
- package/dist/detect/ast-rules/helpers/control-flow.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/control-flow.js +174 -0
- package/dist/detect/ast-rules/helpers/control-flow.js.map +1 -0
- package/dist/detect/ast-rules/helpers/import-analysis.d.ts +43 -0
- package/dist/detect/ast-rules/helpers/import-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/import-analysis.js +149 -0
- package/dist/detect/ast-rules/helpers/import-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/index.d.ts +16 -0
- package/dist/detect/ast-rules/helpers/index.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/index.js +112 -0
- package/dist/detect/ast-rules/helpers/index.js.map +1 -0
- package/dist/detect/ast-rules/helpers/python-helpers.d.ts +215 -0
- package/dist/detect/ast-rules/helpers/python-helpers.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/python-helpers.js +935 -0
- package/dist/detect/ast-rules/helpers/python-helpers.js.map +1 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.d.ts +50 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.js +194 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/string-analysis.d.ts +57 -0
- package/dist/detect/ast-rules/helpers/string-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/string-analysis.js +184 -0
- package/dist/detect/ast-rules/helpers/string-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/type-extraction.d.ts +44 -0
- package/dist/detect/ast-rules/helpers/type-extraction.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/type-extraction.js +125 -0
- package/dist/detect/ast-rules/helpers/type-extraction.js.map +1 -0
- package/dist/detect/ast-rules/helpers/user-input.d.ts +35 -0
- package/dist/detect/ast-rules/helpers/user-input.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/user-input.js +243 -0
- package/dist/detect/ast-rules/helpers/user-input.js.map +1 -0
- package/dist/detect/ast-rules/index.d.ts +112 -0
- package/dist/detect/ast-rules/index.d.ts.map +1 -0
- package/dist/detect/ast-rules/index.js +232 -0
- package/dist/detect/ast-rules/index.js.map +1 -0
- package/dist/detect/ast-rules/json-parse-ast.d.ts +13 -0
- package/dist/detect/ast-rules/json-parse-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/json-parse-ast.js +143 -0
- package/dist/detect/ast-rules/json-parse-ast.js.map +1 -0
- package/dist/detect/ast-rules/log-injection-ast.d.ts +14 -0
- package/dist/detect/ast-rules/log-injection-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/log-injection-ast.js +235 -0
- package/dist/detect/ast-rules/log-injection-ast.js.map +1 -0
- package/dist/detect/ast-rules/logic-gates-ast.d.ts +14 -0
- package/dist/detect/ast-rules/logic-gates-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/logic-gates-ast.js +312 -0
- package/dist/detect/ast-rules/logic-gates-ast.js.map +1 -0
- package/dist/detect/ast-rules/mcp-security-ast.d.ts +14 -0
- package/dist/detect/ast-rules/mcp-security-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/mcp-security-ast.js +755 -0
- package/dist/detect/ast-rules/mcp-security-ast.js.map +1 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.d.ts +13 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.js +188 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.js.map +1 -0
- package/dist/detect/ast-rules/package-hallucination-ast.d.ts +13 -0
- package/dist/detect/ast-rules/package-hallucination-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/package-hallucination-ast.js +607 -0
- package/dist/detect/ast-rules/package-hallucination-ast.js.map +1 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.d.ts +15 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.js +332 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.js.map +1 -0
- package/dist/detect/ast-rules/rag-safety-ast.d.ts +18 -0
- package/dist/detect/ast-rules/rag-safety-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/rag-safety-ast.js +640 -0
- package/dist/detect/ast-rules/rag-safety-ast.js.map +1 -0
- package/dist/detect/ast-rules/request-validation-ast.d.ts +13 -0
- package/dist/detect/ast-rules/request-validation-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/request-validation-ast.js +116 -0
- package/dist/detect/ast-rules/request-validation-ast.js.map +1 -0
- package/dist/detect/ast-rules/risky-imports-ast.d.ts +14 -0
- package/dist/detect/ast-rules/risky-imports-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/risky-imports-ast.js +114 -0
- package/dist/detect/ast-rules/risky-imports-ast.js.map +1 -0
- package/dist/detect/ast-rules/schema-validation-ast.d.ts +14 -0
- package/dist/detect/ast-rules/schema-validation-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/schema-validation-ast.js +233 -0
- package/dist/detect/ast-rules/schema-validation-ast.js.map +1 -0
- package/dist/detect/ast-rules/secret-patterns-ast.d.ts +17 -0
- package/dist/detect/ast-rules/secret-patterns-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/secret-patterns-ast.js +199 -0
- package/dist/detect/ast-rules/secret-patterns-ast.js.map +1 -0
- package/dist/detect/ast-rules/security-headers-ast.d.ts +14 -0
- package/dist/detect/ast-rules/security-headers-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/security-headers-ast.js +187 -0
- package/dist/detect/ast-rules/security-headers-ast.js.map +1 -0
- package/dist/detect/ast-rules/sql-injection-ast.d.ts +17 -0
- package/dist/detect/ast-rules/sql-injection-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/sql-injection-ast.js +497 -0
- package/dist/detect/ast-rules/sql-injection-ast.js.map +1 -0
- package/dist/detect/ast-rules/ssrf-ast.d.ts +14 -0
- package/dist/detect/ast-rules/ssrf-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/ssrf-ast.js +573 -0
- package/dist/detect/ast-rules/ssrf-ast.js.map +1 -0
- package/dist/detect/ast-rules/taint-fix-templates.d.ts +18 -0
- package/dist/detect/ast-rules/taint-fix-templates.d.ts.map +1 -0
- package/dist/detect/ast-rules/taint-fix-templates.js +92 -0
- package/dist/detect/ast-rules/taint-fix-templates.js.map +1 -0
- package/dist/detect/ast-rules/taint-flow-ast.d.ts +24 -0
- package/dist/detect/ast-rules/taint-flow-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/taint-flow-ast.js +340 -0
- package/dist/detect/ast-rules/taint-flow-ast.js.map +1 -0
- package/dist/detect/ast-rules/variables-ast.d.ts +24 -0
- package/dist/detect/ast-rules/variables-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/variables-ast.js +362 -0
- package/dist/detect/ast-rules/variables-ast.js.map +1 -0
- package/dist/detect/ast-rules/weak-crypto-ast.d.ts +15 -0
- package/dist/detect/ast-rules/weak-crypto-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/weak-crypto-ast.js +406 -0
- package/dist/detect/ast-rules/weak-crypto-ast.js.map +1 -0
- package/dist/detect/ast-rules/xxe-ast.d.ts +13 -0
- package/dist/detect/ast-rules/xxe-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/xxe-ast.js +157 -0
- package/dist/detect/ast-rules/xxe-ast.js.map +1 -0
- package/dist/detect/config/agent-skill-injection.d.ts.map +1 -1
- package/dist/detect/config/agent-skill-injection.js +2 -24
- package/dist/detect/config/agent-skill-injection.js.map +1 -1
- package/dist/detect/config/index.d.ts +1 -0
- package/dist/detect/config/index.d.ts.map +1 -1
- package/dist/detect/config/index.js +3 -1
- package/dist/detect/config/index.js.map +1 -1
- package/dist/detect/config/osv-check.d.ts.map +1 -1
- package/dist/detect/config/osv-check.js +6 -1
- package/dist/detect/config/osv-check.js.map +1 -1
- package/dist/detect/config/package-check.d.ts.map +1 -1
- package/dist/detect/config/package-check.js +6 -1
- package/dist/detect/config/package-check.js.map +1 -1
- package/dist/detect/config/rules-file-backdoor.d.ts +36 -0
- package/dist/detect/config/rules-file-backdoor.d.ts.map +1 -0
- package/dist/detect/config/rules-file-backdoor.js +379 -0
- package/dist/detect/config/rules-file-backdoor.js.map +1 -0
- package/dist/detect/index.d.ts +43 -6
- package/dist/detect/index.d.ts.map +1 -1
- package/dist/detect/index.js +70 -7
- package/dist/detect/index.js.map +1 -1
- package/dist/detect/secrets/config-audit.d.ts.map +1 -1
- package/dist/detect/secrets/config-audit.js +36 -3
- package/dist/detect/secrets/config-audit.js.map +1 -1
- package/dist/detect/secrets/entropy.d.ts.map +1 -1
- package/dist/detect/secrets/entropy.js +180 -0
- package/dist/detect/secrets/entropy.js.map +1 -1
- package/dist/detect/secrets/index.d.ts +0 -2
- package/dist/detect/secrets/index.d.ts.map +1 -1
- package/dist/detect/secrets/index.js +7 -17
- package/dist/detect/secrets/index.js.map +1 -1
- package/dist/detect/structural/index.d.ts +15 -28
- package/dist/detect/structural/index.d.ts.map +1 -1
- package/dist/detect/structural/index.js +20 -497
- package/dist/detect/structural/index.js.map +1 -1
- package/dist/index.d.ts +3 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -1
- package/dist/index.js.map +1 -1
- package/dist/model/auth-helper-detector.d.ts.map +1 -1
- package/dist/model/auth-helper-detector.js +2 -7
- package/dist/model/auth-helper-detector.js.map +1 -1
- package/dist/model/import-resolver.d.ts.map +1 -1
- package/dist/model/import-resolver.js +94 -0
- package/dist/model/import-resolver.js.map +1 -1
- package/dist/model/imported-auth-detector.js +8 -8
- package/dist/model/imported-auth-detector.js.map +1 -1
- package/dist/model/index.d.ts +8 -0
- package/dist/model/index.d.ts.map +1 -1
- package/dist/model/index.js +198 -73
- package/dist/model/index.js.map +1 -1
- package/dist/model/module-graph.d.ts.map +1 -1
- package/dist/model/module-graph.js +22 -9
- package/dist/model/module-graph.js.map +1 -1
- package/dist/model/project-context.d.ts +1 -1
- package/dist/model/project-context.d.ts.map +1 -1
- package/dist/model/project-context.js +34 -0
- package/dist/model/project-context.js.map +1 -1
- package/dist/model/route-auth-resolver.d.ts.map +1 -1
- package/dist/model/route-auth-resolver.js +17 -2
- package/dist/model/route-auth-resolver.js.map +1 -1
- package/dist/model/route-discovery/index.js +1 -1
- package/dist/model/route-discovery/index.js.map +1 -1
- package/dist/model/route-discovery/nextjs.js +1 -1
- package/dist/model/route-discovery/nextjs.js.map +1 -1
- package/dist/model/route-discovery/python.d.ts +6 -3
- package/dist/model/route-discovery/python.d.ts.map +1 -1
- package/dist/model/route-discovery/python.js +132 -9
- package/dist/model/route-discovery/python.js.map +1 -1
- package/dist/model/route-discovery/types.d.ts +1 -1
- package/dist/model/route-discovery/types.d.ts.map +1 -1
- package/dist/model/route-discovery/utils.d.ts +8 -0
- package/dist/model/route-discovery/utils.d.ts.map +1 -1
- package/dist/model/route-discovery/utils.js +70 -0
- package/dist/model/route-discovery/utils.js.map +1 -1
- package/dist/model/taint-types.d.ts +0 -4
- package/dist/model/taint-types.d.ts.map +1 -1
- package/dist/parse/ast.d.ts +58 -0
- package/dist/parse/ast.d.ts.map +1 -0
- package/dist/parse/ast.js +230 -0
- package/dist/parse/ast.js.map +1 -0
- package/dist/parse/call-graph.d.ts +41 -0
- package/dist/parse/call-graph.d.ts.map +1 -0
- package/dist/parse/call-graph.js +386 -0
- package/dist/parse/call-graph.js.map +1 -0
- package/dist/parse/file-classifier.d.ts +11 -0
- package/dist/parse/file-classifier.d.ts.map +1 -1
- package/dist/parse/file-classifier.js +63 -15
- package/dist/parse/file-classifier.js.map +1 -1
- package/dist/parse/node-index.d.ts +32 -0
- package/dist/parse/node-index.d.ts.map +1 -0
- package/dist/parse/node-index.js +103 -0
- package/dist/parse/node-index.js.map +1 -0
- package/dist/parse/type-extractor.d.ts +50 -0
- package/dist/parse/type-extractor.d.ts.map +1 -0
- package/dist/parse/type-extractor.js +243 -0
- package/dist/parse/type-extractor.js.map +1 -0
- package/dist/pipeline/config.d.ts +7 -1
- package/dist/pipeline/config.d.ts.map +1 -1
- package/dist/pipeline/config.js.map +1 -1
- package/dist/pipeline/index.d.ts +3 -3
- package/dist/pipeline/index.d.ts.map +1 -1
- package/dist/pipeline/index.js +192 -64
- package/dist/pipeline/index.js.map +1 -1
- package/dist/pipeline/modes/incremental.d.ts.map +1 -1
- package/dist/pipeline/modes/incremental.js +2 -7
- package/dist/pipeline/modes/incremental.js.map +1 -1
- package/dist/postprocess/dedup.d.ts +5 -2
- package/dist/postprocess/dedup.d.ts.map +1 -1
- package/dist/postprocess/dedup.js +47 -16
- package/dist/postprocess/dedup.js.map +1 -1
- package/dist/report/build-result.d.ts +9 -4
- package/dist/report/build-result.d.ts.map +1 -1
- package/dist/report/build-result.js +15 -4
- package/dist/report/build-result.js.map +1 -1
- package/dist/report/formatters/cli-terminal.d.ts +1 -1
- package/dist/report/formatters/cli-terminal.d.ts.map +1 -1
- package/dist/report/formatters/cli-terminal.js +434 -231
- package/dist/report/formatters/cli-terminal.js.map +1 -1
- package/dist/report/sanitize.d.ts +10 -0
- package/dist/report/sanitize.d.ts.map +1 -0
- package/dist/report/sanitize.js +19 -0
- package/dist/report/sanitize.js.map +1 -0
- package/dist/score/adjustments.d.ts +20 -2
- package/dist/score/adjustments.d.ts.map +1 -1
- package/dist/score/adjustments.js +108 -37
- package/dist/score/adjustments.js.map +1 -1
- package/dist/score/confidence.d.ts +6 -0
- package/dist/score/confidence.d.ts.map +1 -1
- package/dist/score/confidence.js +10 -4
- package/dist/score/confidence.js.map +1 -1
- package/dist/score/evidence.d.ts +25 -0
- package/dist/score/evidence.d.ts.map +1 -0
- package/dist/score/evidence.js +51 -0
- package/dist/score/evidence.js.map +1 -0
- package/dist/score/index.d.ts +3 -1
- package/dist/score/index.d.ts.map +1 -1
- package/dist/score/index.js +25 -50
- package/dist/score/index.js.map +1 -1
- package/dist/score/types.d.ts +5 -1
- package/dist/score/types.d.ts.map +1 -1
- package/dist/shared/category-filter.d.ts.map +1 -1
- package/dist/shared/category-filter.js +12 -0
- package/dist/shared/category-filter.js.map +1 -1
- package/dist/shared/regex-utils.d.ts +3 -0
- package/dist/shared/regex-utils.d.ts.map +1 -0
- package/dist/shared/regex-utils.js +8 -0
- package/dist/shared/regex-utils.js.map +1 -0
- package/dist/shared/registry-clients.d.ts +7 -0
- package/dist/shared/registry-clients.d.ts.map +1 -1
- package/dist/shared/registry-clients.js +94 -17
- package/dist/shared/registry-clients.js.map +1 -1
- package/dist/shared/rules/metadata.d.ts.map +1 -1
- package/dist/shared/rules/metadata.js +17 -0
- package/dist/shared/rules/metadata.js.map +1 -1
- package/dist/shared/types.d.ts +59 -15
- package/dist/shared/types.d.ts.map +1 -1
- package/dist/shared/types.js +38 -21
- package/dist/shared/types.js.map +1 -1
- package/dist/taint/async-flow.d.ts +44 -0
- package/dist/taint/async-flow.d.ts.map +1 -0
- package/dist/taint/async-flow.js +271 -0
- package/dist/taint/async-flow.js.map +1 -0
- package/dist/taint/cfg-builder.d.ts +35 -0
- package/dist/taint/cfg-builder.d.ts.map +1 -0
- package/dist/taint/cfg-builder.js +980 -0
- package/dist/taint/cfg-builder.js.map +1 -0
- package/dist/taint/cfg-types.d.ts +76 -0
- package/dist/taint/cfg-types.d.ts.map +1 -0
- package/dist/taint/cfg-types.js +13 -0
- package/dist/taint/cfg-types.js.map +1 -0
- package/dist/taint/constant-propagation.d.ts +34 -0
- package/dist/taint/constant-propagation.d.ts.map +1 -0
- package/dist/taint/constant-propagation.js +164 -0
- package/dist/taint/constant-propagation.js.map +1 -0
- package/dist/taint/cross-file-analyzer.d.ts +27 -0
- package/dist/taint/cross-file-analyzer.d.ts.map +1 -0
- package/dist/taint/cross-file-analyzer.js +99 -0
- package/dist/taint/cross-file-analyzer.js.map +1 -0
- package/dist/taint/cross-file-index.d.ts +59 -0
- package/dist/taint/cross-file-index.d.ts.map +1 -0
- package/dist/taint/cross-file-index.js +183 -0
- package/dist/taint/cross-file-index.js.map +1 -0
- package/dist/taint/def-use.d.ts +27 -0
- package/dist/taint/def-use.d.ts.map +1 -0
- package/dist/taint/def-use.js +519 -0
- package/dist/taint/def-use.js.map +1 -0
- package/dist/taint/file-analysis-cache.d.ts +47 -0
- package/dist/taint/file-analysis-cache.d.ts.map +1 -0
- package/dist/taint/file-analysis-cache.js +107 -0
- package/dist/taint/file-analysis-cache.js.map +1 -0
- package/dist/taint/framework-models.d.ts +77 -0
- package/dist/taint/framework-models.d.ts.map +1 -0
- package/dist/taint/framework-models.js +258 -0
- package/dist/taint/framework-models.js.map +1 -0
- package/dist/taint/helpers.d.ts +31 -0
- package/dist/taint/helpers.d.ts.map +1 -0
- package/dist/taint/helpers.js +130 -0
- package/dist/taint/helpers.js.map +1 -0
- package/dist/taint/index.d.ts +28 -0
- package/dist/taint/index.d.ts.map +1 -0
- package/dist/taint/index.js +77 -0
- package/dist/taint/index.js.map +1 -0
- package/dist/taint/llm-registry.d.ts +47 -0
- package/dist/taint/llm-registry.d.ts.map +1 -0
- package/dist/taint/llm-registry.js +152 -0
- package/dist/taint/llm-registry.js.map +1 -0
- package/dist/taint/llm-risk-scoring.d.ts +54 -0
- package/dist/taint/llm-risk-scoring.d.ts.map +1 -0
- package/dist/taint/llm-risk-scoring.js +376 -0
- package/dist/taint/llm-risk-scoring.js.map +1 -0
- package/dist/taint/propagation-types.d.ts +104 -0
- package/dist/taint/propagation-types.d.ts.map +1 -0
- package/dist/taint/propagation-types.js +98 -0
- package/dist/taint/propagation-types.js.map +1 -0
- package/dist/taint/propagation.d.ts +111 -0
- package/dist/taint/propagation.d.ts.map +1 -0
- package/dist/taint/propagation.js +1576 -0
- package/dist/taint/propagation.js.map +1 -0
- package/dist/taint/sanitizer-registry.d.ts +26 -0
- package/dist/taint/sanitizer-registry.d.ts.map +1 -0
- package/dist/taint/sanitizer-registry.js +422 -0
- package/dist/taint/sanitizer-registry.js.map +1 -0
- package/dist/taint/sink-classifier.d.ts +27 -0
- package/dist/taint/sink-classifier.d.ts.map +1 -0
- package/dist/taint/sink-classifier.js +1166 -0
- package/dist/taint/sink-classifier.js.map +1 -0
- package/dist/taint/source-classifier.d.ts +29 -0
- package/dist/taint/source-classifier.d.ts.map +1 -0
- package/dist/taint/source-classifier.js +814 -0
- package/dist/taint/source-classifier.js.map +1 -0
- package/dist/taint/taint-analyzer.d.ts +33 -0
- package/dist/taint/taint-analyzer.d.ts.map +1 -0
- package/dist/taint/taint-analyzer.js +88 -0
- package/dist/taint/taint-analyzer.js.map +1 -0
- package/dist/taint/taint-summary.d.ts +37 -0
- package/dist/taint/taint-summary.d.ts.map +1 -0
- package/dist/taint/taint-summary.js +293 -0
- package/dist/taint/taint-summary.js.map +1 -0
- package/dist/taint/types.d.ts +47 -0
- package/dist/taint/types.d.ts.map +1 -0
- package/dist/taint/types.js +19 -0
- package/dist/taint/types.js.map +1 -0
- package/dist/validate/clients.d.ts +2 -1
- package/dist/validate/clients.d.ts.map +1 -1
- package/dist/validate/clients.js +3 -2
- package/dist/validate/clients.js.map +1 -1
- package/dist/validate/index.d.ts +5 -6
- package/dist/validate/index.d.ts.map +1 -1
- package/dist/validate/index.js +22 -21
- package/dist/validate/index.js.map +1 -1
- package/dist/validate/prompts/modules/ai-patterns.d.ts +1 -1
- package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -1
- package/dist/validate/prompts/modules/ai-patterns.js +16 -0
- package/dist/validate/prompts/modules/ai-patterns.js.map +1 -1
- package/dist/validate/prompts/modules/common.d.ts +1 -1
- package/dist/validate/prompts/modules/common.d.ts.map +1 -1
- package/dist/validate/prompts/modules/common.js +12 -3
- package/dist/validate/prompts/modules/common.js.map +1 -1
- package/dist/validate/providers/anthropic.d.ts +4 -4
- package/dist/validate/providers/anthropic.d.ts.map +1 -1
- package/dist/validate/providers/anthropic.js +85 -58
- package/dist/validate/providers/anthropic.js.map +1 -1
- package/dist/validate/providers/openai.d.ts +4 -4
- package/dist/validate/providers/openai.d.ts.map +1 -1
- package/dist/validate/providers/openai.js +149 -99
- package/dist/validate/providers/openai.js.map +1 -1
- package/dist/validate/request-builder.d.ts +2 -8
- package/dist/validate/request-builder.d.ts.map +1 -1
- package/dist/validate/request-builder.js +4 -34
- package/dist/validate/request-builder.js.map +1 -1
- package/dist/validate/types.d.ts +9 -0
- package/dist/validate/types.d.ts.map +1 -1
- package/dist/validate/types.js.map +1 -1
- package/dist/validate/utils/path-helpers.js +2 -2
- package/dist/validate/utils/path-helpers.js.map +1 -1
- package/dist/validate/utils/response-parser.d.ts +10 -0
- package/dist/validate/utils/response-parser.d.ts.map +1 -1
- package/dist/validate/utils/response-parser.js +21 -2
- package/dist/validate/utils/response-parser.js.map +1 -1
- package/dist/validate/utils/retry.d.ts.map +1 -1
- package/dist/validate/utils/retry.js +19 -4
- package/dist/validate/utils/retry.js.map +1 -1
- package/package.json +7 -4
- package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1 -1
- package/src/__tests__/benchmark/planted-benchmark.test.ts +337 -0
- package/src/__tests__/benchmark/utils/test-runner.ts +38 -4
- package/src/__tests__/category-filter.test.ts +5 -1
- package/src/__tests__/context-engine/route-discovery/python.test.ts +726 -0
- package/src/__tests__/detect/ast-rules.test.ts +1043 -0
- package/src/__tests__/detect/offline-mode.test.ts +147 -0
- package/src/__tests__/detect/python-ast-rules.test.ts +569 -0
- package/src/__tests__/detect/python-helpers.test.ts +536 -0
- package/src/__tests__/detect/python-sast-rules.test.ts +453 -0
- package/src/__tests__/detect/rules-file-backdoor-decoders.test.ts +151 -0
- package/src/__tests__/detect/rules-file-backdoor.test.ts +284 -0
- package/src/__tests__/detect/taint-fix-templates.test.ts +150 -0
- package/src/__tests__/detect/taint-path-serialization.test.ts +170 -0
- package/src/__tests__/parse/call-graph.test.ts +300 -0
- package/src/__tests__/parse/python-parser.test.ts +274 -0
- package/src/__tests__/regression/known-false-positives.test.ts +491 -9
- package/src/__tests__/regression/rules-file-backdoor.test.ts +137 -0
- package/src/__tests__/score/adjustments.test.ts +34 -16
- package/src/__tests__/score/confidence.test.ts +84 -57
- package/src/__tests__/score/evidence-scoring.test.ts +249 -0
- package/src/__tests__/score/evidence.test.ts +144 -0
- package/src/__tests__/score/scoring-integration.test.ts +56 -34
- package/src/__tests__/score/taint-adjustments.test.ts +14 -228
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +65 -59
- package/src/__tests__/snapshots/scan-depth.test.ts +39 -7
- package/src/__tests__/taint/async-flow.test.ts +247 -0
- package/src/__tests__/taint/cfg-builder.test.ts +835 -0
- package/src/__tests__/taint/constant-propagation.test.ts +302 -0
- package/src/__tests__/taint/cross-file-index.test.ts +683 -0
- package/src/__tests__/taint/cross-file-integration.test.ts +275 -0
- package/src/__tests__/taint/cross-file-propagation.test.ts +910 -0
- package/src/__tests__/taint/def-use.test.ts +132 -0
- package/src/__tests__/taint/field-sensitive-sinks.test.ts +179 -0
- package/src/__tests__/taint/field-sensitivity.test.ts +342 -0
- package/src/__tests__/taint/file-analysis-cache.test.ts +290 -0
- package/src/__tests__/taint/framework-models.test.ts +227 -0
- package/src/__tests__/taint/llm-flow-graph.test.ts +850 -0
- package/src/__tests__/taint/llm-risk-scoring.test.ts +439 -0
- package/src/__tests__/taint/performance-parity.test.ts +315 -0
- package/src/__tests__/taint/propagation.test.ts +621 -0
- package/src/__tests__/taint/python-cross-file.test.ts +494 -0
- package/src/__tests__/taint/python-taint.test.ts +1344 -0
- package/src/__tests__/taint/sanitizer-registry.test.ts +304 -0
- package/src/__tests__/taint/sanitizer-regression.test.ts +111 -0
- package/src/__tests__/taint/sink-classifier.test.ts +537 -0
- package/src/__tests__/taint/source-classifier.test.ts +367 -0
- package/src/__tests__/taint/taint-pipeline.test.ts +418 -0
- package/src/__tests__/taint/taint-smoke.test.ts +400 -0
- package/src/__tests__/taint/taint-summary.test.ts +472 -0
- package/src/detect/ai-code/index.ts +6 -11
- package/src/detect/ast-rules/agent-tools-ast.ts +861 -0
- package/src/detect/ast-rules/ai-fingerprinting-ast.ts +451 -0
- package/src/detect/ast-rules/auth-patterns-ast.ts +304 -0
- package/src/detect/ast-rules/byok-ast.ts +195 -0
- package/src/detect/ast-rules/child-process-ast.ts +276 -0
- package/src/detect/ast-rules/dangerous-eval-ast.ts +227 -0
- package/src/detect/ast-rules/data-exposure-ast.ts +162 -0
- package/src/detect/ast-rules/dom-xss-ast.ts +260 -0
- package/src/detect/ast-rules/endpoint-protection-ast.ts +231 -0
- package/src/detect/ast-rules/entropy-ast.ts +268 -0
- package/src/detect/ast-rules/flask-debug-ast.ts +148 -0
- package/src/detect/ast-rules/framework-checks-ast.ts +200 -0
- package/src/detect/ast-rules/helpers/call-analysis.ts +256 -0
- package/src/detect/ast-rules/helpers/context-detection.ts +277 -0
- package/src/detect/ast-rules/helpers/control-flow.ts +179 -0
- package/src/detect/ast-rules/helpers/import-analysis.ts +185 -0
- package/src/detect/ast-rules/helpers/index.ts +133 -0
- package/src/detect/ast-rules/helpers/python-helpers.ts +1054 -0
- package/src/detect/ast-rules/helpers/scope-analysis.ts +224 -0
- package/src/detect/ast-rules/helpers/string-analysis.ts +215 -0
- package/src/detect/ast-rules/helpers/type-extraction.ts +138 -0
- package/src/detect/ast-rules/helpers/user-input.ts +256 -0
- package/src/detect/ast-rules/index.ts +311 -0
- package/src/detect/ast-rules/json-parse-ast.ts +162 -0
- package/src/detect/ast-rules/log-injection-ast.ts +243 -0
- package/src/detect/ast-rules/logic-gates-ast.ts +343 -0
- package/src/detect/ast-rules/mcp-security-ast.ts +808 -0
- package/src/detect/ast-rules/model-supply-chain-ast.ts +202 -0
- package/src/detect/ast-rules/package-hallucination-ast.ts +664 -0
- package/src/detect/ast-rules/prompt-hygiene-ast.ts +329 -0
- package/src/detect/ast-rules/rag-safety-ast.ts +689 -0
- package/src/detect/ast-rules/request-validation-ast.ts +122 -0
- package/src/detect/ast-rules/risky-imports-ast.ts +133 -0
- package/src/detect/ast-rules/schema-validation-ast.ts +244 -0
- package/src/detect/ast-rules/secret-patterns-ast.ts +223 -0
- package/src/detect/ast-rules/security-headers-ast.ts +206 -0
- package/src/detect/ast-rules/sql-injection-ast.ts +614 -0
- package/src/detect/ast-rules/ssrf-ast.ts +601 -0
- package/src/detect/ast-rules/taint-fix-templates.ts +108 -0
- package/src/detect/ast-rules/taint-flow-ast.ts +416 -0
- package/src/detect/ast-rules/variables-ast.ts +446 -0
- package/src/detect/ast-rules/weak-crypto-ast.ts +441 -0
- package/src/detect/ast-rules/xxe-ast.ts +184 -0
- package/src/detect/config/agent-skill-injection.ts +2 -24
- package/src/detect/config/index.ts +1 -0
- package/src/detect/config/osv-check.ts +6 -1
- package/src/detect/config/package-check.ts +6 -1
- package/src/detect/config/rules-file-backdoor.ts +438 -0
- package/src/detect/index.ts +146 -52
- package/src/detect/secrets/config-audit.ts +37 -3
- package/src/detect/secrets/entropy.ts +195 -0
- package/src/detect/secrets/index.ts +7 -16
- package/src/detect/structural/index.ts +23 -566
- package/src/index.ts +7 -0
- package/src/model/auth-helper-detector.ts +1 -7
- package/src/model/import-resolver.ts +104 -0
- package/src/model/imported-auth-detector.ts +1 -1
- package/src/model/index.ts +240 -80
- package/src/model/module-graph.ts +17 -5
- package/src/model/project-context.ts +28 -1
- package/src/model/route-auth-resolver.ts +18 -3
- package/src/model/route-discovery/index.ts +1 -1
- package/src/model/route-discovery/nextjs.ts +1 -1
- package/src/model/route-discovery/python.ts +156 -9
- package/src/model/route-discovery/types.ts +1 -1
- package/src/model/route-discovery/utils.ts +73 -0
- package/src/model/taint-types.ts +1 -6
- package/src/parse/ast.ts +271 -0
- package/src/parse/call-graph.ts +419 -0
- package/src/parse/file-classifier.ts +69 -15
- package/src/parse/node-index.ts +118 -0
- package/src/parse/type-extractor.ts +293 -0
- package/src/pipeline/config.ts +7 -0
- package/src/pipeline/index.ts +464 -199
- package/src/pipeline/modes/incremental.ts +1 -7
- package/src/postprocess/dedup.ts +48 -17
- package/src/report/build-result.ts +57 -29
- package/src/report/formatters/cli-terminal.ts +731 -415
- package/src/report/sanitize.ts +27 -0
- package/src/score/adjustments.ts +113 -40
- package/src/score/confidence.ts +10 -5
- package/src/score/evidence.ts +55 -0
- package/src/score/index.ts +27 -55
- package/src/score/types.ts +4 -0
- package/src/shared/category-filter.ts +12 -0
- package/src/shared/regex-utils.ts +4 -0
- package/src/shared/registry-clients.ts +106 -18
- package/src/shared/rules/__tests__/metadata.test.ts +5 -1
- package/src/shared/rules/metadata.ts +19 -0
- package/src/shared/types.ts +372 -253
- package/src/taint/async-flow.ts +301 -0
- package/src/taint/cfg-builder.ts +1127 -0
- package/src/taint/cfg-types.ts +110 -0
- package/src/taint/constant-propagation.ts +170 -0
- package/src/taint/cross-file-analyzer.ts +118 -0
- package/src/taint/cross-file-index.ts +275 -0
- package/src/taint/def-use.ts +556 -0
- package/src/taint/file-analysis-cache.ts +145 -0
- package/src/taint/framework-models.ts +313 -0
- package/src/taint/helpers.ts +138 -0
- package/src/taint/index.ts +71 -0
- package/src/taint/llm-registry.ts +174 -0
- package/src/taint/llm-risk-scoring.ts +412 -0
- package/src/taint/propagation-types.ts +188 -0
- package/src/taint/propagation.ts +1750 -0
- package/src/taint/sanitizer-registry.ts +490 -0
- package/src/taint/sink-classifier.ts +1402 -0
- package/src/taint/source-classifier.ts +859 -0
- package/src/taint/taint-analyzer.ts +112 -0
- package/src/taint/taint-summary.ts +341 -0
- package/src/taint/types.ts +86 -0
- package/src/validate/clients.ts +3 -2
- package/src/validate/index.ts +89 -53
- package/src/validate/prompts/modules/ai-patterns.ts +16 -0
- package/src/validate/prompts/modules/common.ts +12 -3
- package/src/validate/providers/anthropic.ts +254 -148
- package/src/validate/providers/openai.ts +363 -218
- package/src/validate/request-builder.ts +2 -45
- package/src/validate/types.ts +9 -0
- package/src/validate/utils/path-helpers.ts +2 -2
- package/src/validate/utils/response-parser.ts +32 -3
- package/src/validate/utils/retry.ts +19 -4
- package/dist/ai-context/index.d.ts +0 -6
- package/dist/ai-context/index.d.ts.map +0 -1
- package/dist/ai-context/index.js +0 -13
- package/dist/ai-context/index.js.map +0 -1
- package/dist/ai-context/manager.d.ts +0 -67
- package/dist/ai-context/manager.d.ts.map +0 -1
- package/dist/ai-context/manager.js +0 -104
- package/dist/ai-context/manager.js.map +0 -1
- package/dist/baseline/diff.d.ts +0 -32
- package/dist/baseline/diff.d.ts.map +0 -1
- package/dist/baseline/diff.js +0 -119
- package/dist/baseline/diff.js.map +0 -1
- package/dist/baseline/index.d.ts +0 -9
- package/dist/baseline/index.d.ts.map +0 -1
- package/dist/baseline/index.js +0 -19
- package/dist/baseline/index.js.map +0 -1
- package/dist/baseline/manager.d.ts +0 -67
- package/dist/baseline/manager.d.ts.map +0 -1
- package/dist/baseline/manager.js +0 -180
- package/dist/baseline/manager.js.map +0 -1
- package/dist/baseline/types.d.ts +0 -91
- package/dist/baseline/types.d.ts.map +0 -1
- package/dist/baseline/types.js +0 -12
- package/dist/baseline/types.js.map +0 -1
- package/dist/category-filter.d.ts +0 -125
- package/dist/category-filter.d.ts.map +0 -1
- package/dist/category-filter.js +0 -360
- package/dist/category-filter.js.map +0 -1
- package/dist/detect/ai-code/agent-tools.d.ts +0 -22
- package/dist/detect/ai-code/agent-tools.d.ts.map +0 -1
- package/dist/detect/ai-code/agent-tools.js +0 -1509
- package/dist/detect/ai-code/agent-tools.js.map +0 -1
- package/dist/detect/ai-code/byok-patterns.d.ts +0 -15
- package/dist/detect/ai-code/byok-patterns.d.ts.map +0 -1
- package/dist/detect/ai-code/byok-patterns.js +0 -313
- package/dist/detect/ai-code/byok-patterns.js.map +0 -1
- package/dist/detect/ai-code/endpoint-protection.d.ts +0 -38
- package/dist/detect/ai-code/endpoint-protection.d.ts.map +0 -1
- package/dist/detect/ai-code/endpoint-protection.js +0 -349
- package/dist/detect/ai-code/endpoint-protection.js.map +0 -1
- package/dist/detect/ai-code/execution-sinks.d.ts +0 -21
- package/dist/detect/ai-code/execution-sinks.d.ts.map +0 -1
- package/dist/detect/ai-code/execution-sinks.js +0 -1158
- package/dist/detect/ai-code/execution-sinks.js.map +0 -1
- package/dist/detect/ai-code/fingerprinting.d.ts +0 -10
- package/dist/detect/ai-code/fingerprinting.d.ts.map +0 -1
- package/dist/detect/ai-code/fingerprinting.js +0 -665
- package/dist/detect/ai-code/fingerprinting.js.map +0 -1
- package/dist/detect/ai-code/mcp-security.d.ts +0 -20
- package/dist/detect/ai-code/mcp-security.d.ts.map +0 -1
- package/dist/detect/ai-code/mcp-security.js +0 -880
- package/dist/detect/ai-code/mcp-security.js.map +0 -1
- package/dist/detect/ai-code/model-supply-chain.d.ts +0 -23
- package/dist/detect/ai-code/model-supply-chain.d.ts.map +0 -1
- package/dist/detect/ai-code/model-supply-chain.js +0 -447
- package/dist/detect/ai-code/model-supply-chain.js.map +0 -1
- package/dist/detect/ai-code/package-hallucination.d.ts +0 -22
- package/dist/detect/ai-code/package-hallucination.d.ts.map +0 -1
- package/dist/detect/ai-code/package-hallucination.js +0 -841
- package/dist/detect/ai-code/package-hallucination.js.map +0 -1
- package/dist/detect/ai-code/prompt-hygiene.d.ts +0 -22
- package/dist/detect/ai-code/prompt-hygiene.d.ts.map +0 -1
- package/dist/detect/ai-code/prompt-hygiene.js +0 -1177
- package/dist/detect/ai-code/prompt-hygiene.js.map +0 -1
- package/dist/detect/ai-code/rag-safety.d.ts +0 -24
- package/dist/detect/ai-code/rag-safety.d.ts.map +0 -1
- package/dist/detect/ai-code/rag-safety.js +0 -913
- package/dist/detect/ai-code/rag-safety.js.map +0 -1
- package/dist/detect/ai-code/schema-validation.d.ts +0 -28
- package/dist/detect/ai-code/schema-validation.d.ts.map +0 -1
- package/dist/detect/ai-code/schema-validation.js +0 -378
- package/dist/detect/ai-code/schema-validation.js.map +0 -1
- package/dist/detect/secrets/patterns.d.ts +0 -11
- package/dist/detect/secrets/patterns.d.ts.map +0 -1
- package/dist/detect/secrets/patterns.js +0 -518
- package/dist/detect/secrets/patterns.js.map +0 -1
- package/dist/detect/secrets/weak-crypto.d.ts +0 -10
- package/dist/detect/secrets/weak-crypto.d.ts.map +0 -1
- package/dist/detect/secrets/weak-crypto.js +0 -432
- package/dist/detect/secrets/weak-crypto.js.map +0 -1
- package/dist/detect/structural/auth-patterns.d.ts +0 -22
- package/dist/detect/structural/auth-patterns.d.ts.map +0 -1
- package/dist/detect/structural/auth-patterns.js +0 -533
- package/dist/detect/structural/auth-patterns.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/child-process.d.ts +0 -16
- package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/child-process.js +0 -74
- package/dist/detect/structural/dangerous-functions/child-process.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +0 -34
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/dom-xss.js +0 -230
- package/dist/detect/structural/dangerous-functions/dom-xss.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/index.d.ts +0 -16
- package/dist/detect/structural/dangerous-functions/index.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/index.js +0 -1193
- package/dist/detect/structural/dangerous-functions/index.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts +0 -31
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/json-parse.js +0 -326
- package/dist/detect/structural/dangerous-functions/json-parse.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/math-random.d.ts +0 -111
- package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/math-random.js +0 -684
- package/dist/detect/structural/dangerous-functions/math-random.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/patterns.d.ts +0 -21
- package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/patterns.js +0 -163
- package/dist/detect/structural/dangerous-functions/patterns.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts +0 -13
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/request-validation.js +0 -126
- package/dist/detect/structural/dangerous-functions/request-validation.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +0 -24
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js +0 -70
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +0 -31
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/helpers.js +0 -147
- package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts +0 -9
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/index.js +0 -23
- package/dist/detect/structural/dangerous-functions/utils/index.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +0 -22
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +0 -102
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +0 -1
- package/dist/detect/structural/data-exposure.d.ts +0 -19
- package/dist/detect/structural/data-exposure.d.ts.map +0 -1
- package/dist/detect/structural/data-exposure.js +0 -262
- package/dist/detect/structural/data-exposure.js.map +0 -1
- package/dist/detect/structural/framework-checks.d.ts +0 -10
- package/dist/detect/structural/framework-checks.d.ts.map +0 -1
- package/dist/detect/structural/framework-checks.js +0 -389
- package/dist/detect/structural/framework-checks.js.map +0 -1
- package/dist/detect/structural/log-injection.d.ts +0 -18
- package/dist/detect/structural/log-injection.d.ts.map +0 -1
- package/dist/detect/structural/log-injection.js +0 -217
- package/dist/detect/structural/log-injection.js.map +0 -1
- package/dist/detect/structural/logic-gates.d.ts +0 -10
- package/dist/detect/structural/logic-gates.d.ts.map +0 -1
- package/dist/detect/structural/logic-gates.js +0 -227
- package/dist/detect/structural/logic-gates.js.map +0 -1
- package/dist/detect/structural/risky-imports.d.ts +0 -10
- package/dist/detect/structural/risky-imports.d.ts.map +0 -1
- package/dist/detect/structural/risky-imports.js +0 -168
- package/dist/detect/structural/risky-imports.js.map +0 -1
- package/dist/detect/structural/security-headers.d.ts +0 -18
- package/dist/detect/structural/security-headers.d.ts.map +0 -1
- package/dist/detect/structural/security-headers.js +0 -196
- package/dist/detect/structural/security-headers.js.map +0 -1
- package/dist/detect/structural/ssrf-detection.d.ts +0 -18
- package/dist/detect/structural/ssrf-detection.d.ts.map +0 -1
- package/dist/detect/structural/ssrf-detection.js +0 -263
- package/dist/detect/structural/ssrf-detection.js.map +0 -1
- package/dist/detect/structural/variables.d.ts +0 -11
- package/dist/detect/structural/variables.d.ts.map +0 -1
- package/dist/detect/structural/variables.js +0 -159
- package/dist/detect/structural/variables.js.map +0 -1
- package/dist/detect/structural/xxe-detection.d.ts +0 -18
- package/dist/detect/structural/xxe-detection.d.ts.map +0 -1
- package/dist/detect/structural/xxe-detection.js +0 -245
- package/dist/detect/structural/xxe-detection.js.map +0 -1
- package/dist/filtering/context-adjustments.d.ts +0 -23
- package/dist/filtering/context-adjustments.d.ts.map +0 -1
- package/dist/filtering/context-adjustments.js +0 -100
- package/dist/filtering/context-adjustments.js.map +0 -1
- package/dist/filtering/index.d.ts +0 -3
- package/dist/filtering/index.d.ts.map +0 -1
- package/dist/filtering/index.js +0 -8
- package/dist/filtering/index.js.map +0 -1
- package/dist/filtering/pipeline.d.ts +0 -48
- package/dist/filtering/pipeline.d.ts.map +0 -1
- package/dist/filtering/pipeline.js +0 -76
- package/dist/filtering/pipeline.js.map +0 -1
- package/dist/formatters/ai-context.d.ts +0 -23
- package/dist/formatters/ai-context.d.ts.map +0 -1
- package/dist/formatters/ai-context.js +0 -238
- package/dist/formatters/ai-context.js.map +0 -1
- package/dist/formatters/cli-terminal.d.ts +0 -65
- package/dist/formatters/cli-terminal.d.ts.map +0 -1
- package/dist/formatters/cli-terminal.js +0 -735
- package/dist/formatters/cli-terminal.js.map +0 -1
- package/dist/formatters/github-comment.d.ts +0 -41
- package/dist/formatters/github-comment.d.ts.map +0 -1
- package/dist/formatters/github-comment.js +0 -370
- package/dist/formatters/github-comment.js.map +0 -1
- package/dist/formatters/grouping.d.ts +0 -52
- package/dist/formatters/grouping.d.ts.map +0 -1
- package/dist/formatters/grouping.js +0 -152
- package/dist/formatters/grouping.js.map +0 -1
- package/dist/formatters/ide/claude-code.d.ts +0 -17
- package/dist/formatters/ide/claude-code.d.ts.map +0 -1
- package/dist/formatters/ide/claude-code.js +0 -94
- package/dist/formatters/ide/claude-code.js.map +0 -1
- package/dist/formatters/ide/cursor.d.ts +0 -13
- package/dist/formatters/ide/cursor.d.ts.map +0 -1
- package/dist/formatters/ide/cursor.js +0 -125
- package/dist/formatters/ide/cursor.js.map +0 -1
- package/dist/formatters/ide/index.d.ts +0 -62
- package/dist/formatters/ide/index.d.ts.map +0 -1
- package/dist/formatters/ide/index.js +0 -184
- package/dist/formatters/ide/index.js.map +0 -1
- package/dist/formatters/ide/windsurf.d.ts +0 -13
- package/dist/formatters/ide/windsurf.d.ts.map +0 -1
- package/dist/formatters/ide/windsurf.js +0 -117
- package/dist/formatters/ide/windsurf.js.map +0 -1
- package/dist/formatters/index.d.ts +0 -11
- package/dist/formatters/index.d.ts.map +0 -1
- package/dist/formatters/index.js +0 -54
- package/dist/formatters/index.js.map +0 -1
- package/dist/formatters/vscode-diagnostic.d.ts +0 -103
- package/dist/formatters/vscode-diagnostic.d.ts.map +0 -1
- package/dist/formatters/vscode-diagnostic.js +0 -151
- package/dist/formatters/vscode-diagnostic.js.map +0 -1
- package/dist/layer1/comments.d.ts +0 -11
- package/dist/layer1/comments.d.ts.map +0 -1
- package/dist/layer1/comments.js +0 -203
- package/dist/layer1/comments.js.map +0 -1
- package/dist/layer1/config-audit.d.ts +0 -11
- package/dist/layer1/config-audit.d.ts.map +0 -1
- package/dist/layer1/config-audit.js +0 -311
- package/dist/layer1/config-audit.js.map +0 -1
- package/dist/layer1/config-mcp-audit.d.ts +0 -23
- package/dist/layer1/config-mcp-audit.d.ts.map +0 -1
- package/dist/layer1/config-mcp-audit.js +0 -239
- package/dist/layer1/config-mcp-audit.js.map +0 -1
- package/dist/layer1/entropy.d.ts +0 -11
- package/dist/layer1/entropy.d.ts.map +0 -1
- package/dist/layer1/entropy.js +0 -741
- package/dist/layer1/entropy.js.map +0 -1
- package/dist/layer1/file-flags.d.ts +0 -10
- package/dist/layer1/file-flags.d.ts.map +0 -1
- package/dist/layer1/file-flags.js +0 -119
- package/dist/layer1/file-flags.js.map +0 -1
- package/dist/layer1/index.d.ts +0 -38
- package/dist/layer1/index.d.ts.map +0 -1
- package/dist/layer1/index.js +0 -170
- package/dist/layer1/index.js.map +0 -1
- package/dist/layer1/patterns.d.ts +0 -11
- package/dist/layer1/patterns.d.ts.map +0 -1
- package/dist/layer1/patterns.js +0 -512
- package/dist/layer1/patterns.js.map +0 -1
- package/dist/layer1/urls.d.ts +0 -11
- package/dist/layer1/urls.d.ts.map +0 -1
- package/dist/layer1/urls.js +0 -444
- package/dist/layer1/urls.js.map +0 -1
- package/dist/layer1/weak-crypto.d.ts +0 -10
- package/dist/layer1/weak-crypto.d.ts.map +0 -1
- package/dist/layer1/weak-crypto.js +0 -428
- package/dist/layer1/weak-crypto.js.map +0 -1
- package/dist/layer2/ai-agent-tools.d.ts +0 -22
- package/dist/layer2/ai-agent-tools.d.ts.map +0 -1
- package/dist/layer2/ai-agent-tools.js +0 -1490
- package/dist/layer2/ai-agent-tools.js.map +0 -1
- package/dist/layer2/ai-endpoint-protection.d.ts +0 -38
- package/dist/layer2/ai-endpoint-protection.d.ts.map +0 -1
- package/dist/layer2/ai-endpoint-protection.js +0 -346
- package/dist/layer2/ai-endpoint-protection.js.map +0 -1
- package/dist/layer2/ai-execution-sinks.d.ts +0 -21
- package/dist/layer2/ai-execution-sinks.d.ts.map +0 -1
- package/dist/layer2/ai-execution-sinks.js +0 -1155
- package/dist/layer2/ai-execution-sinks.js.map +0 -1
- package/dist/layer2/ai-fingerprinting.d.ts +0 -10
- package/dist/layer2/ai-fingerprinting.d.ts.map +0 -1
- package/dist/layer2/ai-fingerprinting.js +0 -650
- package/dist/layer2/ai-fingerprinting.js.map +0 -1
- package/dist/layer2/ai-mcp-security.d.ts +0 -20
- package/dist/layer2/ai-mcp-security.d.ts.map +0 -1
- package/dist/layer2/ai-mcp-security.js +0 -877
- package/dist/layer2/ai-mcp-security.js.map +0 -1
- package/dist/layer2/ai-package-hallucination.d.ts +0 -22
- package/dist/layer2/ai-package-hallucination.d.ts.map +0 -1
- package/dist/layer2/ai-package-hallucination.js +0 -828
- package/dist/layer2/ai-package-hallucination.js.map +0 -1
- package/dist/layer2/ai-prompt-hygiene.d.ts +0 -22
- package/dist/layer2/ai-prompt-hygiene.d.ts.map +0 -1
- package/dist/layer2/ai-prompt-hygiene.js +0 -1156
- package/dist/layer2/ai-prompt-hygiene.js.map +0 -1
- package/dist/layer2/ai-rag-safety.d.ts +0 -24
- package/dist/layer2/ai-rag-safety.d.ts.map +0 -1
- package/dist/layer2/ai-rag-safety.js +0 -910
- package/dist/layer2/ai-rag-safety.js.map +0 -1
- package/dist/layer2/ai-schema-validation.d.ts +0 -28
- package/dist/layer2/ai-schema-validation.d.ts.map +0 -1
- package/dist/layer2/ai-schema-validation.js +0 -375
- package/dist/layer2/ai-schema-validation.js.map +0 -1
- package/dist/layer2/auth-antipatterns.d.ts +0 -22
- package/dist/layer2/auth-antipatterns.d.ts.map +0 -1
- package/dist/layer2/auth-antipatterns.js +0 -522
- package/dist/layer2/auth-antipatterns.js.map +0 -1
- package/dist/layer2/byok-patterns.d.ts +0 -15
- package/dist/layer2/byok-patterns.d.ts.map +0 -1
- package/dist/layer2/byok-patterns.js +0 -302
- package/dist/layer2/byok-patterns.js.map +0 -1
- package/dist/layer2/dangerous-functions/child-process.d.ts +0 -16
- package/dist/layer2/dangerous-functions/child-process.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/child-process.js +0 -74
- package/dist/layer2/dangerous-functions/child-process.js.map +0 -1
- package/dist/layer2/dangerous-functions/dom-xss.d.ts +0 -34
- package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/dom-xss.js +0 -230
- package/dist/layer2/dangerous-functions/dom-xss.js.map +0 -1
- package/dist/layer2/dangerous-functions/index.d.ts +0 -16
- package/dist/layer2/dangerous-functions/index.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/index.js +0 -1152
- package/dist/layer2/dangerous-functions/index.js.map +0 -1
- package/dist/layer2/dangerous-functions/json-parse.d.ts +0 -31
- package/dist/layer2/dangerous-functions/json-parse.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/json-parse.js +0 -319
- package/dist/layer2/dangerous-functions/json-parse.js.map +0 -1
- package/dist/layer2/dangerous-functions/math-random.d.ts +0 -111
- package/dist/layer2/dangerous-functions/math-random.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/math-random.js +0 -684
- package/dist/layer2/dangerous-functions/math-random.js.map +0 -1
- package/dist/layer2/dangerous-functions/patterns.d.ts +0 -21
- package/dist/layer2/dangerous-functions/patterns.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/patterns.js +0 -163
- package/dist/layer2/dangerous-functions/patterns.js.map +0 -1
- package/dist/layer2/dangerous-functions/request-validation.d.ts +0 -13
- package/dist/layer2/dangerous-functions/request-validation.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/request-validation.js +0 -119
- package/dist/layer2/dangerous-functions/request-validation.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +0 -24
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/control-flow.js +0 -70
- package/dist/layer2/dangerous-functions/utils/control-flow.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts +0 -31
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/helpers.js +0 -147
- package/dist/layer2/dangerous-functions/utils/helpers.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/index.d.ts +0 -9
- package/dist/layer2/dangerous-functions/utils/index.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/index.js +0 -23
- package/dist/layer2/dangerous-functions/utils/index.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +0 -22
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.js +0 -102
- package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +0 -1
- package/dist/layer2/data-exposure.d.ts +0 -19
- package/dist/layer2/data-exposure.d.ts.map +0 -1
- package/dist/layer2/data-exposure.js +0 -255
- package/dist/layer2/data-exposure.js.map +0 -1
- package/dist/layer2/framework-checks.d.ts +0 -10
- package/dist/layer2/framework-checks.d.ts.map +0 -1
- package/dist/layer2/framework-checks.js +0 -384
- package/dist/layer2/framework-checks.js.map +0 -1
- package/dist/layer2/index.d.ts +0 -74
- package/dist/layer2/index.d.ts.map +0 -1
- package/dist/layer2/index.js +0 -544
- package/dist/layer2/index.js.map +0 -1
- package/dist/layer2/log-injection.d.ts +0 -18
- package/dist/layer2/log-injection.d.ts.map +0 -1
- package/dist/layer2/log-injection.js +0 -214
- package/dist/layer2/log-injection.js.map +0 -1
- package/dist/layer2/logic-gates.d.ts +0 -10
- package/dist/layer2/logic-gates.d.ts.map +0 -1
- package/dist/layer2/logic-gates.js +0 -220
- package/dist/layer2/logic-gates.js.map +0 -1
- package/dist/layer2/model-supply-chain.d.ts +0 -23
- package/dist/layer2/model-supply-chain.d.ts.map +0 -1
- package/dist/layer2/model-supply-chain.js +0 -444
- package/dist/layer2/model-supply-chain.js.map +0 -1
- package/dist/layer2/risky-imports.d.ts +0 -10
- package/dist/layer2/risky-imports.d.ts.map +0 -1
- package/dist/layer2/risky-imports.js +0 -165
- package/dist/layer2/risky-imports.js.map +0 -1
- package/dist/layer2/security-headers.d.ts +0 -18
- package/dist/layer2/security-headers.d.ts.map +0 -1
- package/dist/layer2/security-headers.js +0 -187
- package/dist/layer2/security-headers.js.map +0 -1
- package/dist/layer2/ssrf-detection.d.ts +0 -18
- package/dist/layer2/ssrf-detection.d.ts.map +0 -1
- package/dist/layer2/ssrf-detection.js +0 -252
- package/dist/layer2/ssrf-detection.js.map +0 -1
- package/dist/layer2/variables.d.ts +0 -11
- package/dist/layer2/variables.d.ts.map +0 -1
- package/dist/layer2/variables.js +0 -156
- package/dist/layer2/variables.js.map +0 -1
- package/dist/layer2/xxe-detection.d.ts +0 -18
- package/dist/layer2/xxe-detection.d.ts.map +0 -1
- package/dist/layer2/xxe-detection.js +0 -242
- package/dist/layer2/xxe-detection.js.map +0 -1
- package/dist/layer3/anthropic/auto-dismiss.d.ts +0 -24
- package/dist/layer3/anthropic/auto-dismiss.d.ts.map +0 -1
- package/dist/layer3/anthropic/auto-dismiss.js +0 -199
- package/dist/layer3/anthropic/auto-dismiss.js.map +0 -1
- package/dist/layer3/anthropic/clients.d.ts +0 -44
- package/dist/layer3/anthropic/clients.d.ts.map +0 -1
- package/dist/layer3/anthropic/clients.js +0 -81
- package/dist/layer3/anthropic/clients.js.map +0 -1
- package/dist/layer3/anthropic/index.d.ts +0 -41
- package/dist/layer3/anthropic/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/index.js +0 -141
- package/dist/layer3/anthropic/index.js.map +0 -1
- package/dist/layer3/anthropic/prompts/index.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/index.js +0 -16
- package/dist/layer3/anthropic/prompts/index.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +0 -19
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +0 -156
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +0 -9
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/auth-access.js +0 -25
- package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/common.d.ts +0 -11
- package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/common.js +0 -152
- package/dist/layer3/anthropic/prompts/modules/common.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/index.d.ts +0 -54
- package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/index.js +0 -185
- package/dist/layer3/anthropic/prompts/modules/index.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +0 -84
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +0 -68
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +0 -22
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +0 -1
- package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +0 -15
- package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/semantic-analysis.js +0 -169
- package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +0 -1
- package/dist/layer3/anthropic/prompts/validation.d.ts +0 -18
- package/dist/layer3/anthropic/prompts/validation.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/validation.js +0 -25
- package/dist/layer3/anthropic/prompts/validation.js.map +0 -1
- package/dist/layer3/anthropic/providers/anthropic.d.ts +0 -21
- package/dist/layer3/anthropic/providers/anthropic.d.ts.map +0 -1
- package/dist/layer3/anthropic/providers/anthropic.js +0 -269
- package/dist/layer3/anthropic/providers/anthropic.js.map +0 -1
- package/dist/layer3/anthropic/providers/index.d.ts +0 -8
- package/dist/layer3/anthropic/providers/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/providers/index.js +0 -15
- package/dist/layer3/anthropic/providers/index.js.map +0 -1
- package/dist/layer3/anthropic/providers/openai.d.ts +0 -18
- package/dist/layer3/anthropic/providers/openai.d.ts.map +0 -1
- package/dist/layer3/anthropic/providers/openai.js +0 -343
- package/dist/layer3/anthropic/providers/openai.js.map +0 -1
- package/dist/layer3/anthropic/request-builder.d.ts +0 -27
- package/dist/layer3/anthropic/request-builder.d.ts.map +0 -1
- package/dist/layer3/anthropic/request-builder.js +0 -150
- package/dist/layer3/anthropic/request-builder.js.map +0 -1
- package/dist/layer3/anthropic/types.d.ts +0 -88
- package/dist/layer3/anthropic/types.d.ts.map +0 -1
- package/dist/layer3/anthropic/types.js +0 -38
- package/dist/layer3/anthropic/types.js.map +0 -1
- package/dist/layer3/anthropic/utils/context-extractor.d.ts +0 -55
- package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/context-extractor.js +0 -161
- package/dist/layer3/anthropic/utils/context-extractor.js.map +0 -1
- package/dist/layer3/anthropic/utils/index.d.ts +0 -11
- package/dist/layer3/anthropic/utils/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/index.js +0 -27
- package/dist/layer3/anthropic/utils/index.js.map +0 -1
- package/dist/layer3/anthropic/utils/path-helpers.d.ts +0 -21
- package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/path-helpers.js +0 -69
- package/dist/layer3/anthropic/utils/path-helpers.js.map +0 -1
- package/dist/layer3/anthropic/utils/response-parser.d.ts +0 -40
- package/dist/layer3/anthropic/utils/response-parser.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/response-parser.js +0 -285
- package/dist/layer3/anthropic/utils/response-parser.js.map +0 -1
- package/dist/layer3/anthropic/utils/retry.d.ts +0 -15
- package/dist/layer3/anthropic/utils/retry.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/retry.js +0 -62
- package/dist/layer3/anthropic/utils/retry.js.map +0 -1
- package/dist/layer3/index.d.ts +0 -27
- package/dist/layer3/index.d.ts.map +0 -1
- package/dist/layer3/index.js +0 -150
- package/dist/layer3/index.js.map +0 -1
- package/dist/layer3/osv-check.d.ts +0 -75
- package/dist/layer3/osv-check.d.ts.map +0 -1
- package/dist/layer3/osv-check.js +0 -308
- package/dist/layer3/osv-check.js.map +0 -1
- package/dist/layer3/package-check.d.ts +0 -63
- package/dist/layer3/package-check.d.ts.map +0 -1
- package/dist/layer3/package-check.js +0 -508
- package/dist/layer3/package-check.js.map +0 -1
- package/dist/model/cross-file-taint.d.ts +0 -40
- package/dist/model/cross-file-taint.d.ts.map +0 -1
- package/dist/model/cross-file-taint.js +0 -290
- package/dist/model/cross-file-taint.js.map +0 -1
- package/dist/model/function-classifier.d.ts +0 -32
- package/dist/model/function-classifier.d.ts.map +0 -1
- package/dist/model/function-classifier.js +0 -143
- package/dist/model/function-classifier.js.map +0 -1
- package/dist/model/sanitiser-detection.d.ts +0 -27
- package/dist/model/sanitiser-detection.d.ts.map +0 -1
- package/dist/model/sanitiser-detection.js +0 -224
- package/dist/model/sanitiser-detection.js.map +0 -1
- package/dist/model/sink-matcher.d.ts +0 -17
- package/dist/model/sink-matcher.d.ts.map +0 -1
- package/dist/model/sink-matcher.js +0 -141
- package/dist/model/sink-matcher.js.map +0 -1
- package/dist/model/sink-patterns.d.ts +0 -19
- package/dist/model/sink-patterns.d.ts.map +0 -1
- package/dist/model/sink-patterns.js +0 -88
- package/dist/model/sink-patterns.js.map +0 -1
- package/dist/model/source-discovery.d.ts +0 -15
- package/dist/model/source-discovery.d.ts.map +0 -1
- package/dist/model/source-discovery.js +0 -170
- package/dist/model/source-discovery.js.map +0 -1
- package/dist/model/taint-tracker.d.ts +0 -21
- package/dist/model/taint-tracker.d.ts.map +0 -1
- package/dist/model/taint-tracker.js +0 -281
- package/dist/model/taint-tracker.js.map +0 -1
- package/dist/modes/incremental.d.ts +0 -66
- package/dist/modes/incremental.d.ts.map +0 -1
- package/dist/modes/incremental.js +0 -200
- package/dist/modes/incremental.js.map +0 -1
- package/dist/rules/framework-fixes.d.ts +0 -48
- package/dist/rules/framework-fixes.d.ts.map +0 -1
- package/dist/rules/framework-fixes.js +0 -439
- package/dist/rules/framework-fixes.js.map +0 -1
- package/dist/rules/index.d.ts +0 -8
- package/dist/rules/index.d.ts.map +0 -1
- package/dist/rules/index.js +0 -18
- package/dist/rules/index.js.map +0 -1
- package/dist/rules/metadata.d.ts +0 -43
- package/dist/rules/metadata.d.ts.map +0 -1
- package/dist/rules/metadata.js +0 -800
- package/dist/rules/metadata.js.map +0 -1
- package/dist/score/auto-dismiss.d.ts +0 -28
- package/dist/score/auto-dismiss.d.ts.map +0 -1
- package/dist/score/auto-dismiss.js +0 -200
- package/dist/score/auto-dismiss.js.map +0 -1
- package/dist/suppression/config-loader.d.ts +0 -74
- package/dist/suppression/config-loader.d.ts.map +0 -1
- package/dist/suppression/config-loader.js +0 -424
- package/dist/suppression/config-loader.js.map +0 -1
- package/dist/suppression/hash.d.ts +0 -48
- package/dist/suppression/hash.d.ts.map +0 -1
- package/dist/suppression/hash.js +0 -88
- package/dist/suppression/hash.js.map +0 -1
- package/dist/suppression/index.d.ts +0 -11
- package/dist/suppression/index.d.ts.map +0 -1
- package/dist/suppression/index.js +0 -39
- package/dist/suppression/index.js.map +0 -1
- package/dist/suppression/inline-parser.d.ts +0 -39
- package/dist/suppression/inline-parser.d.ts.map +0 -1
- package/dist/suppression/inline-parser.js +0 -218
- package/dist/suppression/inline-parser.js.map +0 -1
- package/dist/suppression/manager.d.ts +0 -94
- package/dist/suppression/manager.d.ts.map +0 -1
- package/dist/suppression/manager.js +0 -292
- package/dist/suppression/manager.js.map +0 -1
- package/dist/suppression/types.d.ts +0 -151
- package/dist/suppression/types.d.ts.map +0 -1
- package/dist/suppression/types.js +0 -28
- package/dist/suppression/types.js.map +0 -1
- package/dist/types.d.ts +0 -331
- package/dist/types.d.ts.map +0 -1
- package/dist/types.js +0 -124
- package/dist/types.js.map +0 -1
- package/dist/utils/auth-helper-detector.d.ts +0 -56
- package/dist/utils/auth-helper-detector.d.ts.map +0 -1
- package/dist/utils/auth-helper-detector.js +0 -360
- package/dist/utils/auth-helper-detector.js.map +0 -1
- package/dist/utils/code-analysis.d.ts +0 -39
- package/dist/utils/code-analysis.d.ts.map +0 -1
- package/dist/utils/code-analysis.js +0 -159
- package/dist/utils/code-analysis.js.map +0 -1
- package/dist/utils/comment-analyzer.d.ts +0 -38
- package/dist/utils/comment-analyzer.d.ts.map +0 -1
- package/dist/utils/comment-analyzer.js +0 -218
- package/dist/utils/comment-analyzer.js.map +0 -1
- package/dist/utils/context-helpers.d.ts +0 -219
- package/dist/utils/context-helpers.d.ts.map +0 -1
- package/dist/utils/context-helpers.js +0 -886
- package/dist/utils/context-helpers.js.map +0 -1
- package/dist/utils/diff-detector.d.ts +0 -53
- package/dist/utils/diff-detector.d.ts.map +0 -1
- package/dist/utils/diff-detector.js +0 -104
- package/dist/utils/diff-detector.js.map +0 -1
- package/dist/utils/diff-parser.d.ts +0 -80
- package/dist/utils/diff-parser.d.ts.map +0 -1
- package/dist/utils/diff-parser.js +0 -202
- package/dist/utils/diff-parser.js.map +0 -1
- package/dist/utils/environment-context.d.ts +0 -76
- package/dist/utils/environment-context.d.ts.map +0 -1
- package/dist/utils/environment-context.js +0 -271
- package/dist/utils/environment-context.js.map +0 -1
- package/dist/utils/imported-auth-detector.d.ts +0 -37
- package/dist/utils/imported-auth-detector.d.ts.map +0 -1
- package/dist/utils/imported-auth-detector.js +0 -251
- package/dist/utils/imported-auth-detector.js.map +0 -1
- package/dist/utils/intent-detector.d.ts +0 -66
- package/dist/utils/intent-detector.d.ts.map +0 -1
- package/dist/utils/intent-detector.js +0 -282
- package/dist/utils/intent-detector.js.map +0 -1
- package/dist/utils/middleware-detector.d.ts +0 -55
- package/dist/utils/middleware-detector.d.ts.map +0 -1
- package/dist/utils/middleware-detector.js +0 -260
- package/dist/utils/middleware-detector.js.map +0 -1
- package/dist/utils/oauth-flow-detector.d.ts +0 -41
- package/dist/utils/oauth-flow-detector.d.ts.map +0 -1
- package/dist/utils/oauth-flow-detector.js +0 -202
- package/dist/utils/oauth-flow-detector.js.map +0 -1
- package/dist/utils/parsed-file.d.ts +0 -51
- package/dist/utils/parsed-file.d.ts.map +0 -1
- package/dist/utils/parsed-file.js +0 -95
- package/dist/utils/parsed-file.js.map +0 -1
- package/dist/utils/path-exclusions.d.ts +0 -55
- package/dist/utils/path-exclusions.d.ts.map +0 -1
- package/dist/utils/path-exclusions.js +0 -224
- package/dist/utils/path-exclusions.js.map +0 -1
- package/dist/utils/project-context-builder.d.ts +0 -119
- package/dist/utils/project-context-builder.d.ts.map +0 -1
- package/dist/utils/project-context-builder.js +0 -534
- package/dist/utils/project-context-builder.js.map +0 -1
- package/dist/utils/registry-clients.d.ts +0 -93
- package/dist/utils/registry-clients.d.ts.map +0 -1
- package/dist/utils/registry-clients.js +0 -273
- package/dist/utils/registry-clients.js.map +0 -1
- package/dist/utils/route-hierarchy.d.ts +0 -50
- package/dist/utils/route-hierarchy.d.ts.map +0 -1
- package/dist/utils/route-hierarchy.js +0 -226
- package/dist/utils/route-hierarchy.js.map +0 -1
- package/dist/utils/schema-semantics.d.ts +0 -45
- package/dist/utils/schema-semantics.d.ts.map +0 -1
- package/dist/utils/schema-semantics.js +0 -193
- package/dist/utils/schema-semantics.js.map +0 -1
- package/dist/utils/trpc-analyzer.d.ts +0 -78
- package/dist/utils/trpc-analyzer.d.ts.map +0 -1
- package/dist/utils/trpc-analyzer.js +0 -297
- package/dist/utils/trpc-analyzer.js.map +0 -1
- package/src/__tests__/context-engine/cross-file-taint.test.ts +0 -284
- package/src/__tests__/context-engine/function-classifier.test.ts +0 -146
- package/src/__tests__/context-engine/integration.test.ts +0 -320
- package/src/__tests__/context-engine/sanitiser-detection.test.ts +0 -187
- package/src/__tests__/context-engine/sink-matcher.test.ts +0 -251
- package/src/__tests__/context-engine/source-discovery.test.ts +0 -186
- package/src/__tests__/context-engine/taint-tracker.test.ts +0 -182
- package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +0 -750
- package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +0 -555
- package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +0 -321
- package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +0 -439
- package/src/detect/ai-code/agent-tools.ts +0 -1662
- package/src/detect/ai-code/byok-patterns.ts +0 -354
- package/src/detect/ai-code/endpoint-protection.ts +0 -406
- package/src/detect/ai-code/execution-sinks.ts +0 -1310
- package/src/detect/ai-code/fingerprinting.ts +0 -774
- package/src/detect/ai-code/mcp-security.ts +0 -937
- package/src/detect/ai-code/model-supply-chain.ts +0 -535
- package/src/detect/ai-code/package-hallucination.ts +0 -955
- package/src/detect/ai-code/prompt-hygiene.ts +0 -1314
- package/src/detect/ai-code/rag-safety.ts +0 -977
- package/src/detect/ai-code/schema-validation.ts +0 -427
- package/src/detect/secrets/patterns.ts +0 -561
- package/src/detect/secrets/weak-crypto.ts +0 -485
- package/src/detect/structural/__tests__/math-random-enhanced.test.ts +0 -405
- package/src/detect/structural/auth-patterns.ts +0 -621
- package/src/detect/structural/dangerous-functions/child-process.ts +0 -98
- package/src/detect/structural/dangerous-functions/dom-xss.ts +0 -292
- package/src/detect/structural/dangerous-functions/index.ts +0 -1556
- package/src/detect/structural/dangerous-functions/json-parse.ts +0 -393
- package/src/detect/structural/dangerous-functions/math-random.ts +0 -789
- package/src/detect/structural/dangerous-functions/patterns.ts +0 -176
- package/src/detect/structural/dangerous-functions/request-validation.ts +0 -153
- package/src/detect/structural/dangerous-functions/utils/control-flow.ts +0 -35
- package/src/detect/structural/dangerous-functions/utils/helpers.ts +0 -170
- package/src/detect/structural/dangerous-functions/utils/index.ts +0 -25
- package/src/detect/structural/dangerous-functions/utils/schema-validation.ts +0 -106
- package/src/detect/structural/data-exposure.ts +0 -302
- package/src/detect/structural/framework-checks.ts +0 -439
- package/src/detect/structural/log-injection.ts +0 -254
- package/src/detect/structural/logic-gates.ts +0 -256
- package/src/detect/structural/risky-imports.ts +0 -197
- package/src/detect/structural/security-headers.ts +0 -231
- package/src/detect/structural/ssrf-detection.ts +0 -300
- package/src/detect/structural/variables.ts +0 -177
- package/src/detect/structural/xxe-detection.ts +0 -295
- package/src/model/cross-file-taint.ts +0 -374
- package/src/model/function-classifier.ts +0 -184
- package/src/model/sanitiser-detection.ts +0 -268
- package/src/model/sink-matcher.ts +0 -178
- package/src/model/sink-patterns.ts +0 -109
- package/src/model/source-discovery.ts +0 -209
- package/src/model/taint-tracker.ts +0 -333
- package/src/score/auto-dismiss.ts +0 -224
|
@@ -1,444 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
/**
|
|
3
|
-
* Layer 2: Model Supply Chain Security Detection
|
|
4
|
-
* Detects unsafe model loading patterns that can lead to arbitrary code execution
|
|
5
|
-
*
|
|
6
|
-
* Covers AI Detection Roadmap Phase 2:
|
|
7
|
-
* - Pickle/joblib deserialization RCE
|
|
8
|
-
* - torch.load without weights_only=True
|
|
9
|
-
* - Unverified model sources
|
|
10
|
-
* - Unsafe fine-tuning on user data
|
|
11
|
-
*
|
|
12
|
-
* References:
|
|
13
|
-
* - OWASP LLM05: Supply Chain Vulnerabilities
|
|
14
|
-
* - CWE-502: Deserialization of Untrusted Data
|
|
15
|
-
*/
|
|
16
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
17
|
-
exports.detectModelSupplyChain = detectModelSupplyChain;
|
|
18
|
-
const context_helpers_1 = require("../utils/context-helpers");
|
|
19
|
-
// ============================================================================
|
|
20
|
-
// Context Detection
|
|
21
|
-
// ============================================================================
|
|
22
|
-
/**
|
|
23
|
-
* Check if file is in an ML/model context based on path and content
|
|
24
|
-
*/
|
|
25
|
-
function isMLContextFile(filePath, content) {
|
|
26
|
-
// File path indicators
|
|
27
|
-
const mlPathPatterns = [
|
|
28
|
-
/\/(models?|ml|training|inference|weights|checkpoints)\//i,
|
|
29
|
-
/\/(transformers|huggingface|pytorch|tensorflow|keras)\//i,
|
|
30
|
-
/(train|model|inference|fine[-_]?tune).*\.(py|ts|js)$/i,
|
|
31
|
-
];
|
|
32
|
-
if (mlPathPatterns.some(p => p.test(filePath))) {
|
|
33
|
-
return true;
|
|
34
|
-
}
|
|
35
|
-
// Content patterns suggesting ML usage
|
|
36
|
-
const mlContentPatterns = [
|
|
37
|
-
/import\s+(?:torch|tensorflow|keras|transformers|joblib|pickle|dill|cloudpickle|onnx)/i,
|
|
38
|
-
/from\s+(?:torch|tensorflow|keras|transformers|joblib|pickle|dill|cloudpickle|onnx)\s+import/i,
|
|
39
|
-
/\.load_model\s*\(/i,
|
|
40
|
-
/\.from_pretrained\s*\(/i,
|
|
41
|
-
/torch\.load\s*\(/i,
|
|
42
|
-
/torch\.jit\.load\s*\(/i,
|
|
43
|
-
/pickle\.load/i,
|
|
44
|
-
/joblib\.load/i,
|
|
45
|
-
/dill\.load/i,
|
|
46
|
-
/cloudpickle\.load/i,
|
|
47
|
-
/onnx\.load/i,
|
|
48
|
-
/numpy\.load.*allow_pickle/i,
|
|
49
|
-
/np\.load.*allow_pickle/i,
|
|
50
|
-
/yaml\.(?:unsafe_load|full_load|load)/i,
|
|
51
|
-
/Trainer|TrainingArguments/i,
|
|
52
|
-
/model\.save|model\.load/i,
|
|
53
|
-
];
|
|
54
|
-
return mlContentPatterns.some(p => p.test(content));
|
|
55
|
-
}
|
|
56
|
-
// ============================================================================
|
|
57
|
-
// Safe Pattern Detection
|
|
58
|
-
// ============================================================================
|
|
59
|
-
/**
|
|
60
|
-
* Check if torch.load has weights_only=True (safe mode)
|
|
61
|
-
*/
|
|
62
|
-
function hasTorchWeightsOnly(lineContent, surroundingContext) {
|
|
63
|
-
const fullContext = lineContent + '\n' + surroundingContext;
|
|
64
|
-
return /weights_only\s*=\s*True/i.test(fullContext);
|
|
65
|
-
}
|
|
66
|
-
/**
|
|
67
|
-
* Check if TensorFlow/Keras load has safe_mode=True
|
|
68
|
-
*/
|
|
69
|
-
function hasKerasSafeMode(lineContent, surroundingContext) {
|
|
70
|
-
const fullContext = lineContent + '\n' + surroundingContext;
|
|
71
|
-
return /safe_mode\s*=\s*True/i.test(fullContext);
|
|
72
|
-
}
|
|
73
|
-
/**
|
|
74
|
-
* Check if model source is from a trusted provider
|
|
75
|
-
*/
|
|
76
|
-
function isTrustedModelSource(lineContent) {
|
|
77
|
-
const trustedPatterns = [
|
|
78
|
-
// Official Hugging Face repos
|
|
79
|
-
/huggingface\.co\/(meta-llama|openai|anthropic|google|microsoft|facebook|EleutherAI)/i,
|
|
80
|
-
// Specific trusted model IDs (no http prefix)
|
|
81
|
-
/['"`](meta-llama|openai|anthropic|google|microsoft|facebook)\//i,
|
|
82
|
-
// Local file paths (not URLs)
|
|
83
|
-
/['"`]\.\/|['"`]\.\.\/|['"`]\//,
|
|
84
|
-
// Environment variables for paths
|
|
85
|
-
/os\.environ|process\.env/i,
|
|
86
|
-
];
|
|
87
|
-
return trustedPatterns.some(p => p.test(lineContent));
|
|
88
|
-
}
|
|
89
|
-
/**
|
|
90
|
-
* Check if integrity verification is present
|
|
91
|
-
*/
|
|
92
|
-
function hasIntegrityCheck(content, lineNumber) {
|
|
93
|
-
const lines = content.split('\n');
|
|
94
|
-
const contextStart = Math.max(0, lineNumber - 20);
|
|
95
|
-
const contextEnd = Math.min(lines.length, lineNumber + 10);
|
|
96
|
-
const context = lines.slice(contextStart, contextEnd).join('\n');
|
|
97
|
-
const integrityPatterns = [
|
|
98
|
-
/checksum|sha256|sha512|md5|verify_hash|hash_check/i,
|
|
99
|
-
/verify.*integrity|integrity.*verify/i,
|
|
100
|
-
/revision\s*=\s*['"`][a-f0-9]{40}/i, // Git SHA pinning
|
|
101
|
-
/safetensors/i, // SafeTensors format (safe by design)
|
|
102
|
-
/\.ckpt\.sha256|\.bin\.sha256/i, // Hash files
|
|
103
|
-
];
|
|
104
|
-
return integrityPatterns.some(p => p.test(context));
|
|
105
|
-
}
|
|
106
|
-
/**
|
|
107
|
-
* Check if using SafeTensors format (safe by design)
|
|
108
|
-
*/
|
|
109
|
-
function usesSafeTensors(lineContent, surroundingContext) {
|
|
110
|
-
const fullContext = lineContent + '\n' + surroundingContext;
|
|
111
|
-
return /safetensors|\.safetensors|from_safetensors|load_safetensors/i.test(fullContext);
|
|
112
|
-
}
|
|
113
|
-
/**
|
|
114
|
-
* Check if data validation is present for training
|
|
115
|
-
*/
|
|
116
|
-
function hasDataValidation(content, lineNumber) {
|
|
117
|
-
const lines = content.split('\n');
|
|
118
|
-
const contextStart = Math.max(0, lineNumber - 30);
|
|
119
|
-
const contextEnd = Math.min(lines.length, lineNumber + 10);
|
|
120
|
-
const context = lines.slice(contextStart, contextEnd).join('\n');
|
|
121
|
-
const validationPatterns = [
|
|
122
|
-
/validate|sanitize|clean|filter/i,
|
|
123
|
-
/schema\.(parse|validate)/i,
|
|
124
|
-
/content_moderation|moderate_content/i,
|
|
125
|
-
/review.*data|data.*review/i,
|
|
126
|
-
/verified.*dataset|trusted.*data/i,
|
|
127
|
-
];
|
|
128
|
-
return validationPatterns.some(p => p.test(context));
|
|
129
|
-
}
|
|
130
|
-
const MODEL_SUPPLY_CHAIN_PATTERNS = [
|
|
131
|
-
// ========== Pickle Deserialization (RCE) ==========
|
|
132
|
-
{
|
|
133
|
-
name: 'Pickle deserialization',
|
|
134
|
-
pattern: /pickle\.load\s*\(|pickle\.loads\s*\(/gi,
|
|
135
|
-
category: 'ai_unsafe_model_load',
|
|
136
|
-
baseSeverity: 'critical',
|
|
137
|
-
description: 'pickle.load() executes arbitrary Python code embedded in pickle files. Attackers can craft malicious pickle files that execute code when loaded.',
|
|
138
|
-
suggestedFix: 'Use SafeTensors format for ML models. For other data, use JSON or a safe serialization format. If pickle is unavoidable, only load from trusted, verified sources.',
|
|
139
|
-
},
|
|
140
|
-
{
|
|
141
|
-
name: 'Joblib deserialization',
|
|
142
|
-
pattern: /joblib\.load\s*\(/gi,
|
|
143
|
-
category: 'ai_unsafe_model_load',
|
|
144
|
-
baseSeverity: 'critical',
|
|
145
|
-
description: 'joblib.load() uses pickle internally and can execute arbitrary code. This is commonly used for sklearn models but is unsafe for untrusted files.',
|
|
146
|
-
suggestedFix: 'Use ONNX format for sklearn models. Alternatively, use skops.io which provides secure model persistence. Only load from verified sources.',
|
|
147
|
-
},
|
|
148
|
-
// ========== Extended Pickle Variants (RCE) ==========
|
|
149
|
-
{
|
|
150
|
-
name: 'Dill deserialization',
|
|
151
|
-
pattern: /\bdill\.(load|loads|load_session)\s*\(/gi,
|
|
152
|
-
category: 'ai_unsafe_model_load',
|
|
153
|
-
baseSeverity: 'critical',
|
|
154
|
-
description: 'dill can execute arbitrary code during deserialization, similar to pickle but with extended capabilities including serializing lambdas and closures.',
|
|
155
|
-
suggestedFix: 'Use SafeTensors format or JSON serialization instead of dill. If dill is unavoidable, only load from trusted, verified sources.',
|
|
156
|
-
},
|
|
157
|
-
{
|
|
158
|
-
name: 'Cloudpickle deserialization',
|
|
159
|
-
pattern: /\bcloudpickle\.(load|loads)\s*\(/gi,
|
|
160
|
-
category: 'ai_unsafe_model_load',
|
|
161
|
-
baseSeverity: 'critical',
|
|
162
|
-
description: 'cloudpickle can serialize and execute arbitrary functions, enabling remote code execution during deserialization.',
|
|
163
|
-
suggestedFix: 'Use SafeTensors format or explicitly define functions instead of deserializing them. Avoid cloudpickle for untrusted data.',
|
|
164
|
-
},
|
|
165
|
-
// ========== YAML Unsafe Loading (RCE) ==========
|
|
166
|
-
{
|
|
167
|
-
name: 'YAML unsafe deserialization',
|
|
168
|
-
pattern: /\byaml\.(unsafe_load|full_load|UnsafeLoader)\s*\(/gi,
|
|
169
|
-
category: 'ai_unsafe_model_load',
|
|
170
|
-
baseSeverity: 'critical',
|
|
171
|
-
description: 'yaml.unsafe_load() and yaml.full_load() can instantiate arbitrary Python objects, enabling remote code execution.',
|
|
172
|
-
suggestedFix: 'Use yaml.safe_load() instead of yaml.unsafe_load() or yaml.full_load(). SafeLoader only loads basic Python types.',
|
|
173
|
-
},
|
|
174
|
-
{
|
|
175
|
-
name: 'YAML load without explicit Loader',
|
|
176
|
-
pattern: /\byaml\.load\s*\(\s*[^,)]+\s*\)(?!\s*,)/gi,
|
|
177
|
-
category: 'ai_unsafe_model_load',
|
|
178
|
-
baseSeverity: 'medium',
|
|
179
|
-
description: 'yaml.load() without explicit Loader argument may use unsafe loading in older PyYAML versions (< 5.1).',
|
|
180
|
-
suggestedFix: 'Use yaml.safe_load() or explicitly specify Loader=yaml.SafeLoader: yaml.load(file, Loader=yaml.SafeLoader)',
|
|
181
|
-
},
|
|
182
|
-
// ========== NumPy Pickle Loading (RCE) ==========
|
|
183
|
-
{
|
|
184
|
-
name: 'NumPy pickle loading',
|
|
185
|
-
pattern: /\b(?:np|numpy)\.load\s*\([^)]*allow_pickle\s*=\s*True/gi,
|
|
186
|
-
category: 'ai_unsafe_model_load',
|
|
187
|
-
baseSeverity: 'high',
|
|
188
|
-
description: 'numpy.load() with allow_pickle=True can execute arbitrary code embedded in .npy/.npz files via pickle.',
|
|
189
|
-
suggestedFix: 'Use allow_pickle=False (default in numpy >= 1.16.3) or use SafeTensors format. Only allow_pickle from verified sources.',
|
|
190
|
-
},
|
|
191
|
-
// ========== TorchScript Loading (RCE) ==========
|
|
192
|
-
{
|
|
193
|
-
name: 'TorchScript model loading',
|
|
194
|
-
pattern: /\btorch\.jit\.load\s*\(/gi,
|
|
195
|
-
category: 'ai_unsafe_model_load',
|
|
196
|
-
baseSeverity: 'high',
|
|
197
|
-
description: 'torch.jit.load() can execute arbitrary code embedded in TorchScript models. TorchScript files can contain custom operators with native code.',
|
|
198
|
-
suggestedFix: 'Use SafeTensors format or verify model source and integrity before loading. Pin to specific model revisions with checksums.',
|
|
199
|
-
},
|
|
200
|
-
// ========== ONNX Model Loading (Code Execution Risk) ==========
|
|
201
|
-
{
|
|
202
|
-
name: 'ONNX model loading',
|
|
203
|
-
pattern: /\bonnx\.load\s*\(/gi,
|
|
204
|
-
category: 'ai_unsafe_model_load',
|
|
205
|
-
baseSeverity: 'medium',
|
|
206
|
-
description: 'ONNX models with custom operators can execute arbitrary code. Custom ops are loaded as shared libraries.',
|
|
207
|
-
suggestedFix: 'Verify ONNX model source and check for custom operators before loading. Use onnx.checker.check_model() and inspect custom ops.',
|
|
208
|
-
},
|
|
209
|
-
// ========== PyTorch Loading ==========
|
|
210
|
-
{
|
|
211
|
-
name: 'torch.load without weights_only',
|
|
212
|
-
pattern: /torch\.load\s*\([^)]*\)/gi,
|
|
213
|
-
category: 'ai_unsafe_model_load',
|
|
214
|
-
baseSeverity: 'high',
|
|
215
|
-
description: 'torch.load() without weights_only=True can execute arbitrary code embedded in model files via pickle.',
|
|
216
|
-
suggestedFix: 'Use torch.load(path, weights_only=True) to load only tensor data safely. Or use SafeTensors format: from safetensors.torch import load_file',
|
|
217
|
-
checkSafeMode: 'torch',
|
|
218
|
-
},
|
|
219
|
-
// ========== TensorFlow/Keras Loading ==========
|
|
220
|
-
{
|
|
221
|
-
name: 'Keras load_model without safe_mode',
|
|
222
|
-
pattern: /(?:keras\.models\.)?load_model\s*\([^)]*\)/gi,
|
|
223
|
-
category: 'ai_unsafe_model_load',
|
|
224
|
-
baseSeverity: 'high',
|
|
225
|
-
description: 'Keras load_model() can execute arbitrary code from Lambda layers or custom objects in model files.',
|
|
226
|
-
suggestedFix: 'Use tf.keras.models.load_model(path, safe_mode=True) in TensorFlow 2.13+. Alternatively, save/load only weights with model.save_weights()/load_weights().',
|
|
227
|
-
checkSafeMode: 'keras',
|
|
228
|
-
},
|
|
229
|
-
// ========== Unverified Model Sources ==========
|
|
230
|
-
{
|
|
231
|
-
name: 'Model from HTTP URL',
|
|
232
|
-
pattern: /from_pretrained\s*\(\s*['"`]https?:\/\/[^'"`)]+['"`]/gi,
|
|
233
|
-
category: 'ai_unverified_model',
|
|
234
|
-
baseSeverity: 'high',
|
|
235
|
-
description: 'Loading models directly from HTTP URLs bypasses the Hugging Face Hub\'s verification. Attackers could serve malicious models via MITM attacks.',
|
|
236
|
-
suggestedFix: 'Load from Hugging Face Hub by model ID instead of direct URL. Pin to specific revision: from_pretrained("org/model", revision="abc123")',
|
|
237
|
-
checkTrustedSource: true,
|
|
238
|
-
},
|
|
239
|
-
{
|
|
240
|
-
name: 'trust_remote_code=True',
|
|
241
|
-
pattern: /trust_remote_code\s*=\s*True/gi,
|
|
242
|
-
category: 'ai_unsafe_model_load',
|
|
243
|
-
baseSeverity: 'high',
|
|
244
|
-
description: 'trust_remote_code=True allows model repos to execute arbitrary Python code during loading. Malicious repos could compromise your system.',
|
|
245
|
-
suggestedFix: 'Avoid trust_remote_code=True. Use models that don\'t require custom code. If necessary, audit the model repo code before enabling.',
|
|
246
|
-
},
|
|
247
|
-
{
|
|
248
|
-
name: 'Model download without verification',
|
|
249
|
-
pattern: /(?:urllib|requests|wget|curl).*(?:\.pth|\.pt|\.bin|\.ckpt|\.h5|\.keras|model)/gi,
|
|
250
|
-
category: 'ai_unverified_model',
|
|
251
|
-
baseSeverity: 'medium',
|
|
252
|
-
description: 'Downloading model files without integrity verification. Attackers could serve modified files via compromised mirrors or MITM.',
|
|
253
|
-
suggestedFix: 'Verify downloaded files against known checksums: sha256sum file.pth. Use official download APIs (transformers, torch.hub) which include verification.',
|
|
254
|
-
checkIntegrity: true,
|
|
255
|
-
},
|
|
256
|
-
// ========== Unsafe Fine-tuning ==========
|
|
257
|
-
{
|
|
258
|
-
name: 'Training on user uploads',
|
|
259
|
-
pattern: /(?:trainer|model)\.(?:train|fit|fine_tune)\s*\([^)]*(?:user_uploads?|user_data|uploaded|untrusted)/gi,
|
|
260
|
-
category: 'ai_unsafe_finetuning',
|
|
261
|
-
baseSeverity: 'high',
|
|
262
|
-
description: 'Training/fine-tuning directly on user-uploaded data without validation enables data poisoning attacks.',
|
|
263
|
-
suggestedFix: 'Validate and sanitize all training data. Implement content moderation. Use separate data pipelines for user content with review steps.',
|
|
264
|
-
checkDataValidation: true,
|
|
265
|
-
},
|
|
266
|
-
{
|
|
267
|
-
name: 'Trainer with user data',
|
|
268
|
-
pattern: /Trainer\s*\([^)]*(?:train_dataset|eval_dataset)\s*=\s*(?:user_uploads?|user_data|uploaded_data|untrusted_data)/gi,
|
|
269
|
-
category: 'ai_unsafe_finetuning',
|
|
270
|
-
baseSeverity: 'high',
|
|
271
|
-
description: 'Trainer initialized with user-uploaded data without validation. Data poisoning attacks can manipulate model behavior.',
|
|
272
|
-
suggestedFix: 'Validate and sanitize all training data before passing to Trainer. Implement content moderation and review pipelines.',
|
|
273
|
-
checkDataValidation: true,
|
|
274
|
-
},
|
|
275
|
-
{
|
|
276
|
-
name: 'Fine-tuning with external dataset',
|
|
277
|
-
pattern: /(?:load_dataset|datasets\.load)\s*\([^)]*(?:path|url|http)/gi,
|
|
278
|
-
category: 'ai_unsafe_finetuning',
|
|
279
|
-
baseSeverity: 'medium',
|
|
280
|
-
description: 'Loading training datasets from external sources without verification. Data could be poisoned.',
|
|
281
|
-
suggestedFix: 'Use verified datasets from trusted sources. Implement data validation pipelines. Consider dataset hashing/signing.',
|
|
282
|
-
checkDataValidation: true,
|
|
283
|
-
},
|
|
284
|
-
{
|
|
285
|
-
name: 'Training config from user input',
|
|
286
|
-
pattern: /TrainingArguments\s*\([^)]*(?:request|user|input|body)\./gi,
|
|
287
|
-
category: 'ai_unsafe_finetuning',
|
|
288
|
-
baseSeverity: 'medium',
|
|
289
|
-
description: 'Training arguments derived from user input. Attackers could manipulate training hyperparameters to compromise model behavior.',
|
|
290
|
-
suggestedFix: 'Validate and sanitize all training arguments. Use allowlists for hyperparameter values. Don\'t allow users to specify output paths.',
|
|
291
|
-
},
|
|
292
|
-
// ========== TensorFlow Specific ==========
|
|
293
|
-
{
|
|
294
|
-
name: 'TensorFlow SavedModel from path',
|
|
295
|
-
pattern: /tf\.saved_model\.load\s*\([^)]*(?:http|ftp|user|upload)/gi,
|
|
296
|
-
category: 'ai_unverified_model',
|
|
297
|
-
baseSeverity: 'high',
|
|
298
|
-
description: 'Loading TensorFlow SavedModel from untrusted path. SavedModels can contain arbitrary ops that execute code.',
|
|
299
|
-
suggestedFix: 'Only load SavedModels from trusted, verified sources. Use TF Serving with model verification for production.',
|
|
300
|
-
checkTrustedSource: true,
|
|
301
|
-
},
|
|
302
|
-
];
|
|
303
|
-
// ============================================================================
|
|
304
|
-
// Helper Functions
|
|
305
|
-
// ============================================================================
|
|
306
|
-
/**
|
|
307
|
-
* Get surrounding context for analysis
|
|
308
|
-
*/
|
|
309
|
-
function getSurroundingContext(content, lineIndex, windowSize = 15) {
|
|
310
|
-
const lines = content.split('\n');
|
|
311
|
-
const start = Math.max(0, lineIndex - windowSize);
|
|
312
|
-
const end = Math.min(lines.length, lineIndex + windowSize);
|
|
313
|
-
return lines.slice(start, end).join('\n');
|
|
314
|
-
}
|
|
315
|
-
/**
|
|
316
|
-
* Calculate severity based on mitigations
|
|
317
|
-
*/
|
|
318
|
-
function calculateSeverity(baseSeverity, isMitigated, isPartiallyMitigated, isTestFile, isExample, isLibrary) {
|
|
319
|
-
if (isTestFile || isExample || isLibrary) {
|
|
320
|
-
return 'info';
|
|
321
|
-
}
|
|
322
|
-
if (isMitigated) {
|
|
323
|
-
return 'info';
|
|
324
|
-
}
|
|
325
|
-
if (isPartiallyMitigated) {
|
|
326
|
-
if (baseSeverity === 'critical')
|
|
327
|
-
return 'high';
|
|
328
|
-
if (baseSeverity === 'high')
|
|
329
|
-
return 'medium';
|
|
330
|
-
if (baseSeverity === 'medium')
|
|
331
|
-
return 'low';
|
|
332
|
-
}
|
|
333
|
-
return baseSeverity;
|
|
334
|
-
}
|
|
335
|
-
// ============================================================================
|
|
336
|
-
// Main Detection Function
|
|
337
|
-
// ============================================================================
|
|
338
|
-
/**
|
|
339
|
-
* Main detection function for model supply chain security issues
|
|
340
|
-
*/
|
|
341
|
-
function detectModelSupplyChain(content, filePath, options) {
|
|
342
|
-
const vulnerabilities = [];
|
|
343
|
-
// Skip non-applicable files
|
|
344
|
-
if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
|
|
345
|
-
return vulnerabilities;
|
|
346
|
-
// Only scan files that appear to be in ML context
|
|
347
|
-
if (!isMLContextFile(filePath, content)) {
|
|
348
|
-
return vulnerabilities;
|
|
349
|
-
}
|
|
350
|
-
const lines = options?.parsed?.lines ?? content.split('\n');
|
|
351
|
-
const isTestFile = (0, context_helpers_1.isTestOrMockFile)(filePath);
|
|
352
|
-
const isExample = (0, context_helpers_1.isExampleDirectory)(filePath);
|
|
353
|
-
const isLibrary = (0, context_helpers_1.isLibraryCode)(filePath);
|
|
354
|
-
for (const pattern of MODEL_SUPPLY_CHAIN_PATTERNS) {
|
|
355
|
-
const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
|
|
356
|
-
let match;
|
|
357
|
-
while ((match = regex.exec(content)) !== null) {
|
|
358
|
-
const lineNumber = content.substring(0, match.index).split('\n').length;
|
|
359
|
-
const lineContent = lines[lineNumber - 1]?.trim() || '';
|
|
360
|
-
// Skip comments
|
|
361
|
-
if ((0, context_helpers_1.isComment)(lineContent))
|
|
362
|
-
continue;
|
|
363
|
-
const surroundingContext = getSurroundingContext(content, lineNumber - 1);
|
|
364
|
-
// Check for mitigations
|
|
365
|
-
let isMitigated = false;
|
|
366
|
-
let isPartiallyMitigated = false;
|
|
367
|
-
let description = pattern.description;
|
|
368
|
-
// Check SafeTensors usage (mitigates most pickle/torch issues)
|
|
369
|
-
if (usesSafeTensors(lineContent, surroundingContext)) {
|
|
370
|
-
isMitigated = true;
|
|
371
|
-
description += ' (SafeTensors format detected - safe.)';
|
|
372
|
-
}
|
|
373
|
-
// Check torch weights_only
|
|
374
|
-
if (pattern.checkSafeMode === 'torch') {
|
|
375
|
-
if (hasTorchWeightsOnly(lineContent, surroundingContext)) {
|
|
376
|
-
isMitigated = true;
|
|
377
|
-
description += ' (weights_only=True detected - safe.)';
|
|
378
|
-
}
|
|
379
|
-
}
|
|
380
|
-
// Check keras safe_mode
|
|
381
|
-
if (pattern.checkSafeMode === 'keras') {
|
|
382
|
-
if (hasKerasSafeMode(lineContent, surroundingContext)) {
|
|
383
|
-
isMitigated = true;
|
|
384
|
-
description += ' (safe_mode=True detected - safe.)';
|
|
385
|
-
}
|
|
386
|
-
}
|
|
387
|
-
// Check trusted source
|
|
388
|
-
if (pattern.checkTrustedSource) {
|
|
389
|
-
if (isTrustedModelSource(lineContent)) {
|
|
390
|
-
isPartiallyMitigated = true;
|
|
391
|
-
description += ' (Trusted source detected.)';
|
|
392
|
-
}
|
|
393
|
-
}
|
|
394
|
-
// Check integrity verification
|
|
395
|
-
if (pattern.checkIntegrity) {
|
|
396
|
-
if (hasIntegrityCheck(content, lineNumber)) {
|
|
397
|
-
isMitigated = true;
|
|
398
|
-
description += ' (Integrity verification detected.)';
|
|
399
|
-
}
|
|
400
|
-
}
|
|
401
|
-
// Check data validation for training
|
|
402
|
-
if (pattern.checkDataValidation) {
|
|
403
|
-
if (hasDataValidation(content, lineNumber)) {
|
|
404
|
-
isPartiallyMitigated = true;
|
|
405
|
-
description += ' (Data validation detected nearby.)';
|
|
406
|
-
}
|
|
407
|
-
}
|
|
408
|
-
// Skip if fully mitigated
|
|
409
|
-
if (isMitigated)
|
|
410
|
-
continue;
|
|
411
|
-
// Calculate final severity
|
|
412
|
-
const severity = calculateSeverity(pattern.baseSeverity, isMitigated, isPartiallyMitigated, isTestFile, isExample, isLibrary);
|
|
413
|
-
// Add context notes
|
|
414
|
-
if (isTestFile) {
|
|
415
|
-
description += ' (In test file.)';
|
|
416
|
-
}
|
|
417
|
-
else if (isExample) {
|
|
418
|
-
description += ' (In example/demo directory.)';
|
|
419
|
-
}
|
|
420
|
-
else if (isLibrary) {
|
|
421
|
-
description += ' (Library code.)';
|
|
422
|
-
}
|
|
423
|
-
// Skip info-level in non-ML focused files to reduce noise
|
|
424
|
-
if (severity === 'info' && !isMLContextFile(filePath, content))
|
|
425
|
-
continue;
|
|
426
|
-
vulnerabilities.push({
|
|
427
|
-
id: `model-supply-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
|
|
428
|
-
filePath,
|
|
429
|
-
lineNumber,
|
|
430
|
-
lineContent,
|
|
431
|
-
severity,
|
|
432
|
-
category: pattern.category,
|
|
433
|
-
title: pattern.name,
|
|
434
|
-
description,
|
|
435
|
-
suggestedFix: pattern.suggestedFix,
|
|
436
|
-
confidence: severity === 'info' ? 'low' : 'high',
|
|
437
|
-
layer: 2,
|
|
438
|
-
requiresAIValidation: severity !== 'info' && severity !== 'low',
|
|
439
|
-
});
|
|
440
|
-
}
|
|
441
|
-
}
|
|
442
|
-
return vulnerabilities;
|
|
443
|
-
}
|
|
444
|
-
//# sourceMappingURL=model-supply-chain.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"model-supply-chain.js","sourceRoot":"","sources":["../../src/layer2/model-supply-chain.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAsYH,wDA+HC;AAjgBD,8DAMiC;AAEjC,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,eAAe,CAAC,QAAgB,EAAE,OAAe;IACxD,uBAAuB;IACvB,MAAM,cAAc,GAAG;QACrB,0DAA0D;QAC1D,0DAA0D;QAC1D,uDAAuD;KACxD,CAAA;IAED,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAC/C,OAAO,IAAI,CAAA;IACb,CAAC;IAED,uCAAuC;IACvC,MAAM,iBAAiB,GAAG;QACxB,uFAAuF;QACvF,8FAA8F;QAC9F,oBAAoB;QACpB,yBAAyB;QACzB,mBAAmB;QACnB,wBAAwB;QACxB,eAAe;QACf,eAAe;QACf,aAAa;QACb,oBAAoB;QACpB,aAAa;QACb,4BAA4B;QAC5B,yBAAyB;QACzB,uCAAuC;QACvC,4BAA4B;QAC5B,0BAA0B;KAC3B,CAAA;IAED,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACrD,CAAC;AAED,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,mBAAmB,CAAC,WAAmB,EAAE,kBAA0B;IAC1E,MAAM,WAAW,GAAG,WAAW,GAAG,IAAI,GAAG,kBAAkB,CAAA;IAC3D,OAAO,0BAA0B,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;AACrD,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,WAAmB,EAAE,kBAA0B;IACvE,MAAM,WAAW,GAAG,WAAW,GAAG,IAAI,GAAG,kBAAkB,CAAA;IAC3D,OAAO,uBAAuB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;AAClD,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,WAAmB;IAC/C,MAAM,eAAe,GAAG;QACtB,8BAA8B;QAC9B,sFAAsF;QACtF,8CAA8C;QAC9C,iEAAiE;QACjE,8BAA8B;QAC9B,+BAA+B;QAC/B,kCAAkC;QAClC,2BAA2B;KAC5B,CAAA;IAED,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAA;AACvD,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,OAAe,EAAE,UAAkB;IAC5D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;IACjD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;IAC1D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEhE,MAAM,iBAAiB,GAAG;QACxB,oDAAoD;QACpD,sCAAsC;QACtC,mCAAmC,EAAE,kBAAkB;QACvD,cAAc,EAAE,sCAAsC;QACtD,+BAA+B,EAAE,aAAa;KAC/C,CAAA;IAED,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACrD,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,WAAmB,EAAE,kBAA0B;IACtE,MAAM,WAAW,GAAG,WAAW,GAAG,IAAI,GAAG,kBAAkB,CAAA;IAC3D,OAAO,8DAA8D,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;AACzF,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,OAAe,EAAE,UAAkB;IAC5D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;IACjD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,UAAU,GAAG,EAAE,CAAC,CAAA;IAC1D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAEhE,MAAM,kBAAkB,GAAG;QACzB,iCAAiC;QACjC,2BAA2B;QAC3B,sCAAsC;QACtC,4BAA4B;QAC5B,kCAAkC;KACnC,CAAA;IAED,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACtD,CAAC;AAmBD,MAAM,2BAA2B,GAA8B;IAC7D,qDAAqD;IACrD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,wCAAwC;QACjD,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,kJAAkJ;QAC/J,YAAY,EAAE,oKAAoK;KACnL;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,qBAAqB;QAC9B,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,kJAAkJ;QAC/J,YAAY,EAAE,2IAA2I;KAC1J;IAED,uDAAuD;IACvD;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,0CAA0C;QACnD,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,sJAAsJ;QACnK,YAAY,EAAE,iIAAiI;KAChJ;IACD;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,oCAAoC;QAC7C,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,mHAAmH;QAChI,YAAY,EAAE,4HAA4H;KAC3I;IAED,kDAAkD;IAClD;QACE,IAAI,EAAE,6BAA6B;QACnC,OAAO,EAAE,qDAAqD;QAC9D,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,mHAAmH;QAChI,YAAY,EAAE,mHAAmH;KAClI;IACD;QACE,IAAI,EAAE,mCAAmC;QACzC,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,uGAAuG;QACpH,YAAY,EAAE,4GAA4G;KAC3H;IAED,mDAAmD;IACnD;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,yDAAyD;QAClE,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,wGAAwG;QACrH,YAAY,EAAE,yHAAyH;KACxI;IAED,kDAAkD;IAClD;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,8IAA8I;QAC3J,YAAY,EAAE,6HAA6H;KAC5I;IAED,iEAAiE;IACjE;QACE,IAAI,EAAE,oBAAoB;QAC1B,OAAO,EAAE,qBAAqB;QAC9B,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,0GAA0G;QACvH,YAAY,EAAE,gIAAgI;KAC/I;IAED,wCAAwC;IACxC;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,uGAAuG;QACpH,YAAY,EAAE,6IAA6I;QAC3J,aAAa,EAAE,OAAO;KACvB;IAED,iDAAiD;IACjD;QACE,IAAI,EAAE,oCAAoC;QAC1C,OAAO,EAAE,8CAA8C;QACvD,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,oGAAoG;QACjH,YAAY,EAAE,2JAA2J;QACzK,aAAa,EAAE,OAAO;KACvB;IAED,iDAAiD;IACjD;QACE,IAAI,EAAE,qBAAqB;QAC3B,OAAO,EAAE,wDAAwD;QACjE,QAAQ,EAAE,qBAAqB;QAC/B,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,gJAAgJ;QAC7J,YAAY,EAAE,yIAAyI;QACvJ,kBAAkB,EAAE,IAAI;KACzB;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,gCAAgC;QACzC,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,0IAA0I;QACvJ,YAAY,EAAE,oIAAoI;KACnJ;IACD;QACE,IAAI,EAAE,qCAAqC;QAC3C,OAAO,EAAE,iFAAiF;QAC1F,QAAQ,EAAE,qBAAqB;QAC/B,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,+HAA+H;QAC5I,YAAY,EAAE,uJAAuJ;QACrK,cAAc,EAAE,IAAI;KACrB;IAED,2CAA2C;IAC3C;QACE,IAAI,EAAE,0BAA0B;QAChC,OAAO,EAAE,sGAAsG;QAC/G,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,wGAAwG;QACrH,YAAY,EAAE,wIAAwI;QACtJ,mBAAmB,EAAE,IAAI;KAC1B;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,kHAAkH;QAC3H,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,uHAAuH;QACpI,YAAY,EAAE,uHAAuH;QACrI,mBAAmB,EAAE,IAAI;KAC1B;IACD;QACE,IAAI,EAAE,mCAAmC;QACzC,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,+FAA+F;QAC5G,YAAY,EAAE,oHAAoH;QAClI,mBAAmB,EAAE,IAAI;KAC1B;IACD;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,4DAA4D;QACrE,QAAQ,EAAE,sBAAsB;QAChC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,+HAA+H;QAC5I,YAAY,EAAE,qIAAqI;KACpJ;IAED,4CAA4C;IAC5C;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,2DAA2D;QACpE,QAAQ,EAAE,qBAAqB;QAC/B,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,6GAA6G;QAC1H,YAAY,EAAE,8GAA8G;QAC5H,kBAAkB,EAAE,IAAI;KACzB;CACF,CAAA;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,qBAAqB,CAAC,OAAe,EAAE,SAAiB,EAAE,aAAqB,EAAE;IACxF,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,UAAU,CAAC,CAAA;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,CAAC,CAAA;IAC1D,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AAC3C,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,YAAmC,EACnC,WAAoB,EACpB,oBAA6B,EAC7B,UAAmB,EACnB,SAAkB,EAClB,SAAkB;IAElB,IAAI,UAAU,IAAI,SAAS,IAAI,SAAS,EAAE,CAAC;QACzC,OAAO,MAAM,CAAA;IACf,CAAC;IAED,IAAI,WAAW,EAAE,CAAC;QAChB,OAAO,MAAM,CAAA;IACf,CAAC;IAED,IAAI,oBAAoB,EAAE,CAAC;QACzB,IAAI,YAAY,KAAK,UAAU;YAAE,OAAO,MAAM,CAAA;QAC9C,IAAI,YAAY,KAAK,MAAM;YAAE,OAAO,QAAQ,CAAA;QAC5C,IAAI,YAAY,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAA;IAC7C,CAAC;IAED,OAAO,YAAY,CAAA;AACrB,CAAC;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,sBAAsB,CACpC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,4BAA4B;IAC5B,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,kDAAkD;IAClD,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;QACxC,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC3D,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC7C,MAAM,SAAS,GAAG,IAAA,oCAAkB,EAAC,QAAQ,CAAC,CAAA;IAC9C,MAAM,SAAS,GAAG,IAAA,+BAAa,EAAC,QAAQ,CAAC,CAAA;IAEzC,KAAK,MAAM,OAAO,IAAI,2BAA2B,EAAE,CAAC;QAClD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QACvE,IAAI,KAAK,CAAA;QAET,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAA;YACvE,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;YAEvD,gBAAgB;YAChB,IAAI,IAAA,2BAAS,EAAC,WAAW,CAAC;gBAAE,SAAQ;YAEpC,MAAM,kBAAkB,GAAG,qBAAqB,CAAC,OAAO,EAAE,UAAU,GAAG,CAAC,CAAC,CAAA;YAEzE,wBAAwB;YACxB,IAAI,WAAW,GAAG,KAAK,CAAA;YACvB,IAAI,oBAAoB,GAAG,KAAK,CAAA;YAChC,IAAI,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;YAErC,+DAA+D;YAC/D,IAAI,eAAe,CAAC,WAAW,EAAE,kBAAkB,CAAC,EAAE,CAAC;gBACrD,WAAW,GAAG,IAAI,CAAA;gBAClB,WAAW,IAAI,wCAAwC,CAAA;YACzD,CAAC;YAED,2BAA2B;YAC3B,IAAI,OAAO,CAAC,aAAa,KAAK,OAAO,EAAE,CAAC;gBACtC,IAAI,mBAAmB,CAAC,WAAW,EAAE,kBAAkB,CAAC,EAAE,CAAC;oBACzD,WAAW,GAAG,IAAI,CAAA;oBAClB,WAAW,IAAI,uCAAuC,CAAA;gBACxD,CAAC;YACH,CAAC;YAED,wBAAwB;YACxB,IAAI,OAAO,CAAC,aAAa,KAAK,OAAO,EAAE,CAAC;gBACtC,IAAI,gBAAgB,CAAC,WAAW,EAAE,kBAAkB,CAAC,EAAE,CAAC;oBACtD,WAAW,GAAG,IAAI,CAAA;oBAClB,WAAW,IAAI,oCAAoC,CAAA;gBACrD,CAAC;YACH,CAAC;YAED,uBAAuB;YACvB,IAAI,OAAO,CAAC,kBAAkB,EAAE,CAAC;gBAC/B,IAAI,oBAAoB,CAAC,WAAW,CAAC,EAAE,CAAC;oBACtC,oBAAoB,GAAG,IAAI,CAAA;oBAC3B,WAAW,IAAI,6BAA6B,CAAA;gBAC9C,CAAC;YACH,CAAC;YAED,+BAA+B;YAC/B,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;gBAC3B,IAAI,iBAAiB,CAAC,OAAO,EAAE,UAAU,CAAC,EAAE,CAAC;oBAC3C,WAAW,GAAG,IAAI,CAAA;oBAClB,WAAW,IAAI,qCAAqC,CAAA;gBACtD,CAAC;YACH,CAAC;YAED,qCAAqC;YACrC,IAAI,OAAO,CAAC,mBAAmB,EAAE,CAAC;gBAChC,IAAI,iBAAiB,CAAC,OAAO,EAAE,UAAU,CAAC,EAAE,CAAC;oBAC3C,oBAAoB,GAAG,IAAI,CAAA;oBAC3B,WAAW,IAAI,qCAAqC,CAAA;gBACtD,CAAC;YACH,CAAC;YAED,0BAA0B;YAC1B,IAAI,WAAW;gBAAE,SAAQ;YAEzB,2BAA2B;YAC3B,MAAM,QAAQ,GAAG,iBAAiB,CAChC,OAAO,CAAC,YAAY,EACpB,WAAW,EACX,oBAAoB,EACpB,UAAU,EACV,SAAS,EACT,SAAS,CACV,CAAA;YAED,oBAAoB;YACpB,IAAI,UAAU,EAAE,CAAC;gBACf,WAAW,IAAI,kBAAkB,CAAA;YACnC,CAAC;iBAAM,IAAI,SAAS,EAAE,CAAC;gBACrB,WAAW,IAAI,+BAA+B,CAAA;YAChD,CAAC;iBAAM,IAAI,SAAS,EAAE,CAAC;gBACrB,WAAW,IAAI,kBAAkB,CAAA;YACnC,CAAC;YAED,0DAA0D;YAC1D,IAAI,QAAQ,KAAK,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC;gBAAE,SAAQ;YAExE,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,gBAAgB,QAAQ,IAAI,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE;gBACjF,QAAQ;gBACR,UAAU;gBACV,WAAW;gBACX,QAAQ;gBACR,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,WAAW;gBACX,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,UAAU,EAAE,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM;gBAChD,KAAK,EAAE,CAAC;gBACR,oBAAoB,EAAE,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,KAAK;aAChE,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}
|
|
@@ -1,10 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Layer 2: Risky Import/Package Analysis
|
|
3
|
-
* Detects imports of packages known to have security concerns or deprecated
|
|
4
|
-
*/
|
|
5
|
-
import type { Vulnerability } from '../types';
|
|
6
|
-
import type { ParsedFile } from '../utils/parsed-file';
|
|
7
|
-
export declare function detectRiskyImports(content: string, filePath: string, options?: {
|
|
8
|
-
parsed?: ParsedFile;
|
|
9
|
-
}): Vulnerability[];
|
|
10
|
-
//# sourceMappingURL=risky-imports.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"risky-imports.d.ts","sourceRoot":"","sources":["../../src/layer2/risky-imports.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,UAAU,CAAA;AACpE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAmJtD,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CAmCjB"}
|
|
@@ -1,165 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
/**
|
|
3
|
-
* Layer 2: Risky Import/Package Analysis
|
|
4
|
-
* Detects imports of packages known to have security concerns or deprecated
|
|
5
|
-
*/
|
|
6
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
7
|
-
exports.detectRiskyImports = detectRiskyImports;
|
|
8
|
-
const context_helpers_1 = require("../utils/context-helpers");
|
|
9
|
-
const RISKY_PACKAGES = [
|
|
10
|
-
// Known vulnerable or deprecated packages
|
|
11
|
-
{
|
|
12
|
-
name: 'request (deprecated)',
|
|
13
|
-
pattern: /require\s*\(\s*['"]request['"]\s*\)|from\s+['"]request['"]/gi,
|
|
14
|
-
severity: 'medium',
|
|
15
|
-
description: 'The "request" package is deprecated and no longer maintained',
|
|
16
|
-
suggestedFix: 'Migrate to fetch, axios, or node-fetch',
|
|
17
|
-
},
|
|
18
|
-
{
|
|
19
|
-
name: 'node-uuid (deprecated)',
|
|
20
|
-
pattern: /require\s*\(\s*['"]node-uuid['"]\s*\)|from\s+['"]node-uuid['"]/gi,
|
|
21
|
-
severity: 'low',
|
|
22
|
-
description: 'node-uuid is deprecated in favor of uuid package',
|
|
23
|
-
suggestedFix: 'Use the "uuid" package instead',
|
|
24
|
-
},
|
|
25
|
-
// Packages with known security issues
|
|
26
|
-
{
|
|
27
|
-
name: 'lodash (full import)',
|
|
28
|
-
pattern: /require\s*\(\s*['"]lodash['"]\s*\)|import\s+\*?\s*(?:as\s+)?\w+\s+from\s+['"]lodash['"]/gi,
|
|
29
|
-
severity: 'low',
|
|
30
|
-
description: 'Full lodash import increases bundle size and attack surface',
|
|
31
|
-
suggestedFix: 'Import specific functions: import get from "lodash/get"',
|
|
32
|
-
},
|
|
33
|
-
{
|
|
34
|
-
name: 'moment.js (deprecated)',
|
|
35
|
-
pattern: /require\s*\(\s*['"]moment['"]\s*\)|from\s+['"]moment['"]/gi,
|
|
36
|
-
severity: 'low',
|
|
37
|
-
description: 'Moment.js is in maintenance mode, consider alternatives',
|
|
38
|
-
suggestedFix: 'Use date-fns, dayjs, or native Intl APIs',
|
|
39
|
-
},
|
|
40
|
-
// Security-focused sandbox packages - info only (these are used for security, not risky)
|
|
41
|
-
{
|
|
42
|
-
name: 'vm2 (sandbox)',
|
|
43
|
-
pattern: /require\s*\(\s*['"]vm2['"]\s*\)|from\s+['"]vm2['"]/gi,
|
|
44
|
-
severity: 'info',
|
|
45
|
-
description: 'vm2 is a sandboxing library. While it has had sandbox escape vulnerabilities historically, using it is generally safer than running untrusted code directly. Keep vm2 updated.',
|
|
46
|
-
suggestedFix: 'Keep vm2 updated to the latest version. For maximum isolation, consider isolated-vm or running in a separate process.',
|
|
47
|
-
},
|
|
48
|
-
{
|
|
49
|
-
name: 'serialize-javascript (RCE risk)',
|
|
50
|
-
pattern: /require\s*\(\s*['"]serialize-javascript['"]\s*\)|from\s+['"]serialize-javascript['"]/gi,
|
|
51
|
-
severity: 'medium',
|
|
52
|
-
description: 'serialize-javascript can be dangerous if output is not properly handled',
|
|
53
|
-
suggestedFix: 'Ensure serialized output is not directly executed or use JSON.stringify',
|
|
54
|
-
},
|
|
55
|
-
// Crypto-related risky imports
|
|
56
|
-
{
|
|
57
|
-
name: 'crypto-js (outdated patterns)',
|
|
58
|
-
pattern: /require\s*\(\s*['"]crypto-js['"]\s*\)|from\s+['"]crypto-js['"]/gi,
|
|
59
|
-
severity: 'low',
|
|
60
|
-
description: 'crypto-js may use outdated crypto patterns',
|
|
61
|
-
suggestedFix: 'Prefer Node.js built-in crypto module or Web Crypto API',
|
|
62
|
-
},
|
|
63
|
-
{
|
|
64
|
-
name: 'bcrypt-nodejs (deprecated)',
|
|
65
|
-
pattern: /require\s*\(\s*['"]bcrypt-nodejs['"]\s*\)|from\s+['"]bcrypt-nodejs['"]/gi,
|
|
66
|
-
severity: 'medium',
|
|
67
|
-
description: 'bcrypt-nodejs is deprecated and unmaintained',
|
|
68
|
-
suggestedFix: 'Use bcrypt or bcryptjs instead',
|
|
69
|
-
},
|
|
70
|
-
// SQL/Database risky patterns
|
|
71
|
-
{
|
|
72
|
-
name: 'mysql (prefer mysql2)',
|
|
73
|
-
pattern: /require\s*\(\s*['"]mysql['"]\s*\)|from\s+['"]mysql['"]/gi,
|
|
74
|
-
severity: 'low',
|
|
75
|
-
description: 'mysql package is less maintained than mysql2',
|
|
76
|
-
suggestedFix: 'Consider using mysql2 for better security and performance',
|
|
77
|
-
},
|
|
78
|
-
// Python risky imports
|
|
79
|
-
{
|
|
80
|
-
name: 'pickle (unsafe deserialization)',
|
|
81
|
-
pattern: /^import\s+pickle|^from\s+pickle\s+import/gim,
|
|
82
|
-
severity: 'high',
|
|
83
|
-
description: 'pickle can execute arbitrary code during deserialization',
|
|
84
|
-
suggestedFix: 'Use JSON or other safe serialization formats for untrusted data',
|
|
85
|
-
},
|
|
86
|
-
{
|
|
87
|
-
name: 'yaml unsafe load',
|
|
88
|
-
pattern: /yaml\.load\s*\([^)]*\)(?!.*Loader)/gi,
|
|
89
|
-
severity: 'high',
|
|
90
|
-
description: 'yaml.load without Loader parameter can execute arbitrary code',
|
|
91
|
-
suggestedFix: 'Use yaml.safe_load() or specify Loader=yaml.SafeLoader',
|
|
92
|
-
},
|
|
93
|
-
{
|
|
94
|
-
name: 'subprocess shell=True',
|
|
95
|
-
pattern: /subprocess\.(call|run|Popen|check_output)\s*\([^)]*shell\s*=\s*True/gi,
|
|
96
|
-
severity: 'high',
|
|
97
|
-
description: 'subprocess with shell=True is vulnerable to shell injection',
|
|
98
|
-
suggestedFix: 'Use shell=False and pass arguments as a list',
|
|
99
|
-
},
|
|
100
|
-
// Telemetry/tracking packages (privacy concern)
|
|
101
|
-
{
|
|
102
|
-
name: 'Analytics package',
|
|
103
|
-
pattern: /require\s*\(\s*['"](analytics|segment|mixpanel|amplitude)['"]\s*\)|from\s+['"](analytics|segment|mixpanel|amplitude)['"]/gi,
|
|
104
|
-
severity: 'low',
|
|
105
|
-
description: 'Analytics package detected - ensure user consent is obtained',
|
|
106
|
-
suggestedFix: 'Implement proper consent mechanisms for user tracking',
|
|
107
|
-
},
|
|
108
|
-
// Outdated/vulnerable web frameworks
|
|
109
|
-
{
|
|
110
|
-
name: 'express-jwt (CVE history)',
|
|
111
|
-
pattern: /require\s*\(\s*['"]express-jwt['"]\s*\)|from\s+['"]express-jwt['"]/gi,
|
|
112
|
-
severity: 'medium',
|
|
113
|
-
description: 'express-jwt has had security vulnerabilities - ensure latest version',
|
|
114
|
-
suggestedFix: 'Update to latest version and consider jose or jsonwebtoken directly',
|
|
115
|
-
},
|
|
116
|
-
// Dangerous native modules
|
|
117
|
-
{
|
|
118
|
-
name: 'node-gyp native module',
|
|
119
|
-
pattern: /require\s*\(\s*['"]node-gyp['"]\s*\)|from\s+['"]node-gyp['"]/gi,
|
|
120
|
-
severity: 'low',
|
|
121
|
-
description: 'Native modules can introduce platform-specific vulnerabilities',
|
|
122
|
-
suggestedFix: 'Audit native dependencies and keep them updated',
|
|
123
|
-
},
|
|
124
|
-
];
|
|
125
|
-
// Check if line is a comment
|
|
126
|
-
function isComment(line) {
|
|
127
|
-
const trimmed = line.trim();
|
|
128
|
-
return (trimmed.startsWith('//') ||
|
|
129
|
-
trimmed.startsWith('#') ||
|
|
130
|
-
trimmed.startsWith('*') ||
|
|
131
|
-
trimmed.startsWith('/*'));
|
|
132
|
-
}
|
|
133
|
-
function detectRiskyImports(content, filePath, options) {
|
|
134
|
-
const vulnerabilities = [];
|
|
135
|
-
// Skip scanner/fixture files to avoid self-detection
|
|
136
|
-
if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
|
|
137
|
-
return vulnerabilities;
|
|
138
|
-
const lines = options?.parsed?.lines ?? content.split('\n');
|
|
139
|
-
lines.forEach((line, index) => {
|
|
140
|
-
// Skip comment lines
|
|
141
|
-
if (isComment(line))
|
|
142
|
-
return;
|
|
143
|
-
for (const pkg of RISKY_PACKAGES) {
|
|
144
|
-
const regex = new RegExp(pkg.pattern.source, pkg.pattern.flags);
|
|
145
|
-
if (regex.test(line)) {
|
|
146
|
-
vulnerabilities.push({
|
|
147
|
-
id: `risky-import-${filePath}-${index + 1}-${pkg.name}`,
|
|
148
|
-
filePath,
|
|
149
|
-
lineNumber: index + 1,
|
|
150
|
-
lineContent: line.trim(),
|
|
151
|
-
severity: pkg.severity,
|
|
152
|
-
category: 'suspicious_package',
|
|
153
|
-
title: `Risky package: ${pkg.name}`,
|
|
154
|
-
description: pkg.description,
|
|
155
|
-
suggestedFix: pkg.suggestedFix,
|
|
156
|
-
confidence: 'high',
|
|
157
|
-
layer: 2,
|
|
158
|
-
});
|
|
159
|
-
break; // Only report once per line
|
|
160
|
-
}
|
|
161
|
-
}
|
|
162
|
-
});
|
|
163
|
-
return vulnerabilities;
|
|
164
|
-
}
|
|
165
|
-
//# sourceMappingURL=risky-imports.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"risky-imports.js","sourceRoot":"","sources":["../../src/layer2/risky-imports.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAsJH,gDAuCC;AAzLD,8DAAiE;AAUjE,MAAM,cAAc,GAAmB;IACrC,0CAA0C;IAC1C;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,8DAA8D;QACvE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,wCAAwC;KACvD;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,kEAAkE;QAC3E,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,kDAAkD;QAC/D,YAAY,EAAE,gCAAgC;KAC/C;IAED,sCAAsC;IACtC;QACE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,2FAA2F;QACpG,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE,yDAAyD;KACxE;IACD;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,4DAA4D;QACrE,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,yDAAyD;QACtE,YAAY,EAAE,0CAA0C;KACzD;IAED,yFAAyF;IACzF;QACE,IAAI,EAAE,eAAe;QACrB,OAAO,EAAE,sDAAsD;QAC/D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,gLAAgL;QAC7L,YAAY,EAAE,uHAAuH;KACtI;IACD;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,wFAAwF;QACjG,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,yEAAyE;QACtF,YAAY,EAAE,yEAAyE;KACxF;IAED,+BAA+B;IAC/B;QACE,IAAI,EAAE,+BAA+B;QACrC,OAAO,EAAE,kEAAkE;QAC3E,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,4CAA4C;QACzD,YAAY,EAAE,yDAAyD;KACxE;IACD;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,0EAA0E;QACnF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,8CAA8C;QAC3D,YAAY,EAAE,gCAAgC;KAC/C;IAED,8BAA8B;IAC9B;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,0DAA0D;QACnE,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,8CAA8C;QAC3D,YAAY,EAAE,2DAA2D;KAC1E;IAED,uBAAuB;IACvB;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,6CAA6C;QACtD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0DAA0D;QACvE,YAAY,EAAE,iEAAiE;KAChF;IACD;QACE,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,sCAAsC;QAC/C,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,+DAA+D;QAC5E,YAAY,EAAE,wDAAwD;KACvE;IACD;QACE,IAAI,EAAE,uBAAuB;QAC7B,OAAO,EAAE,uEAAuE;QAChF,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6DAA6D;QAC1E,YAAY,EAAE,8CAA8C;KAC7D;IAED,gDAAgD;IAChD;QACE,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,4HAA4H;QACrI,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,8DAA8D;QAC3E,YAAY,EAAE,uDAAuD;KACtE;IAED,qCAAqC;IACrC;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,sEAAsE;QAC/E,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,sEAAsE;QACnF,YAAY,EAAE,qEAAqE;KACpF;IAED,2BAA2B;IAC3B;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,gEAAgE;QAC7E,YAAY,EAAE,iDAAiD;KAChE;CACF,CAAA;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,CACzB,CAAA;AACH,CAAC;AAED,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,qBAAqB;QACrB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAE/D,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,gBAAgB,QAAQ,IAAI,KAAK,GAAG,CAAC,IAAI,GAAG,CAAC,IAAI,EAAE;oBACvD,QAAQ;oBACR,UAAU,EAAE,KAAK,GAAG,CAAC;oBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;oBACxB,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,QAAQ,EAAE,oBAAoB;oBAC9B,KAAK,EAAE,kBAAkB,GAAG,CAAC,IAAI,EAAE;oBACnC,WAAW,EAAE,GAAG,CAAC,WAAW;oBAC5B,YAAY,EAAE,GAAG,CAAC,YAAY;oBAC9B,UAAU,EAAE,MAAM;oBAClB,KAAK,EAAE,CAAC;iBACT,CAAC,CAAA;gBACF,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,eAAe,CAAA;AACxB,CAAC"}
|