@oculum/scanner 1.0.14 → 1.0.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/detect/ai-code/index.d.ts +6 -11
- package/dist/detect/ai-code/index.d.ts.map +1 -1
- package/dist/detect/ai-code/index.js +6 -24
- package/dist/detect/ai-code/index.js.map +1 -1
- package/dist/detect/ast-rules/agent-tools-ast.d.ts +14 -0
- package/dist/detect/ast-rules/agent-tools-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/agent-tools-ast.js +809 -0
- package/dist/detect/ast-rules/agent-tools-ast.js.map +1 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.d.ts +14 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.js +344 -0
- package/dist/detect/ast-rules/ai-fingerprinting-ast.js.map +1 -0
- package/dist/detect/ast-rules/auth-patterns-ast.d.ts +14 -0
- package/dist/detect/ast-rules/auth-patterns-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/auth-patterns-ast.js +280 -0
- package/dist/detect/ast-rules/auth-patterns-ast.js.map +1 -0
- package/dist/detect/ast-rules/byok-ast.d.ts +13 -0
- package/dist/detect/ast-rules/byok-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/byok-ast.js +180 -0
- package/dist/detect/ast-rules/byok-ast.js.map +1 -0
- package/dist/detect/ast-rules/child-process-ast.d.ts +13 -0
- package/dist/detect/ast-rules/child-process-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/child-process-ast.js +252 -0
- package/dist/detect/ast-rules/child-process-ast.js.map +1 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.d.ts +13 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.js +218 -0
- package/dist/detect/ast-rules/dangerous-eval-ast.js.map +1 -0
- package/dist/detect/ast-rules/data-exposure-ast.d.ts +13 -0
- package/dist/detect/ast-rules/data-exposure-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/data-exposure-ast.js +158 -0
- package/dist/detect/ast-rules/data-exposure-ast.js.map +1 -0
- package/dist/detect/ast-rules/dom-xss-ast.d.ts +14 -0
- package/dist/detect/ast-rules/dom-xss-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/dom-xss-ast.js +217 -0
- package/dist/detect/ast-rules/dom-xss-ast.js.map +1 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.d.ts +13 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.js +228 -0
- package/dist/detect/ast-rules/endpoint-protection-ast.js.map +1 -0
- package/dist/detect/ast-rules/entropy-ast.d.ts +17 -0
- package/dist/detect/ast-rules/entropy-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/entropy-ast.js +265 -0
- package/dist/detect/ast-rules/entropy-ast.js.map +1 -0
- package/dist/detect/ast-rules/flask-debug-ast.d.ts +10 -0
- package/dist/detect/ast-rules/flask-debug-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/flask-debug-ast.js +125 -0
- package/dist/detect/ast-rules/flask-debug-ast.js.map +1 -0
- package/dist/detect/ast-rules/framework-checks-ast.d.ts +13 -0
- package/dist/detect/ast-rules/framework-checks-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/framework-checks-ast.js +185 -0
- package/dist/detect/ast-rules/framework-checks-ast.js.map +1 -0
- package/dist/detect/ast-rules/helpers/call-analysis.d.ts +62 -0
- package/dist/detect/ast-rules/helpers/call-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/call-analysis.js +217 -0
- package/dist/detect/ast-rules/helpers/call-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/context-detection.d.ts +33 -0
- package/dist/detect/ast-rules/helpers/context-detection.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/context-detection.js +256 -0
- package/dist/detect/ast-rules/helpers/context-detection.js.map +1 -0
- package/dist/detect/ast-rules/helpers/control-flow.d.ts +40 -0
- package/dist/detect/ast-rules/helpers/control-flow.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/control-flow.js +174 -0
- package/dist/detect/ast-rules/helpers/control-flow.js.map +1 -0
- package/dist/detect/ast-rules/helpers/import-analysis.d.ts +43 -0
- package/dist/detect/ast-rules/helpers/import-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/import-analysis.js +149 -0
- package/dist/detect/ast-rules/helpers/import-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/index.d.ts +16 -0
- package/dist/detect/ast-rules/helpers/index.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/index.js +112 -0
- package/dist/detect/ast-rules/helpers/index.js.map +1 -0
- package/dist/detect/ast-rules/helpers/python-helpers.d.ts +215 -0
- package/dist/detect/ast-rules/helpers/python-helpers.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/python-helpers.js +935 -0
- package/dist/detect/ast-rules/helpers/python-helpers.js.map +1 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.d.ts +50 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.js +194 -0
- package/dist/detect/ast-rules/helpers/scope-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/string-analysis.d.ts +57 -0
- package/dist/detect/ast-rules/helpers/string-analysis.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/string-analysis.js +184 -0
- package/dist/detect/ast-rules/helpers/string-analysis.js.map +1 -0
- package/dist/detect/ast-rules/helpers/type-extraction.d.ts +44 -0
- package/dist/detect/ast-rules/helpers/type-extraction.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/type-extraction.js +125 -0
- package/dist/detect/ast-rules/helpers/type-extraction.js.map +1 -0
- package/dist/detect/ast-rules/helpers/user-input.d.ts +35 -0
- package/dist/detect/ast-rules/helpers/user-input.d.ts.map +1 -0
- package/dist/detect/ast-rules/helpers/user-input.js +243 -0
- package/dist/detect/ast-rules/helpers/user-input.js.map +1 -0
- package/dist/detect/ast-rules/index.d.ts +112 -0
- package/dist/detect/ast-rules/index.d.ts.map +1 -0
- package/dist/detect/ast-rules/index.js +232 -0
- package/dist/detect/ast-rules/index.js.map +1 -0
- package/dist/detect/ast-rules/json-parse-ast.d.ts +13 -0
- package/dist/detect/ast-rules/json-parse-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/json-parse-ast.js +143 -0
- package/dist/detect/ast-rules/json-parse-ast.js.map +1 -0
- package/dist/detect/ast-rules/log-injection-ast.d.ts +14 -0
- package/dist/detect/ast-rules/log-injection-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/log-injection-ast.js +235 -0
- package/dist/detect/ast-rules/log-injection-ast.js.map +1 -0
- package/dist/detect/ast-rules/logic-gates-ast.d.ts +14 -0
- package/dist/detect/ast-rules/logic-gates-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/logic-gates-ast.js +312 -0
- package/dist/detect/ast-rules/logic-gates-ast.js.map +1 -0
- package/dist/detect/ast-rules/mcp-security-ast.d.ts +14 -0
- package/dist/detect/ast-rules/mcp-security-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/mcp-security-ast.js +755 -0
- package/dist/detect/ast-rules/mcp-security-ast.js.map +1 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.d.ts +13 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.js +188 -0
- package/dist/detect/ast-rules/model-supply-chain-ast.js.map +1 -0
- package/dist/detect/ast-rules/package-hallucination-ast.d.ts +13 -0
- package/dist/detect/ast-rules/package-hallucination-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/package-hallucination-ast.js +607 -0
- package/dist/detect/ast-rules/package-hallucination-ast.js.map +1 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.d.ts +15 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.js +332 -0
- package/dist/detect/ast-rules/prompt-hygiene-ast.js.map +1 -0
- package/dist/detect/ast-rules/rag-safety-ast.d.ts +18 -0
- package/dist/detect/ast-rules/rag-safety-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/rag-safety-ast.js +640 -0
- package/dist/detect/ast-rules/rag-safety-ast.js.map +1 -0
- package/dist/detect/ast-rules/request-validation-ast.d.ts +13 -0
- package/dist/detect/ast-rules/request-validation-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/request-validation-ast.js +116 -0
- package/dist/detect/ast-rules/request-validation-ast.js.map +1 -0
- package/dist/detect/ast-rules/risky-imports-ast.d.ts +14 -0
- package/dist/detect/ast-rules/risky-imports-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/risky-imports-ast.js +114 -0
- package/dist/detect/ast-rules/risky-imports-ast.js.map +1 -0
- package/dist/detect/ast-rules/schema-validation-ast.d.ts +14 -0
- package/dist/detect/ast-rules/schema-validation-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/schema-validation-ast.js +233 -0
- package/dist/detect/ast-rules/schema-validation-ast.js.map +1 -0
- package/dist/detect/ast-rules/secret-patterns-ast.d.ts +17 -0
- package/dist/detect/ast-rules/secret-patterns-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/secret-patterns-ast.js +199 -0
- package/dist/detect/ast-rules/secret-patterns-ast.js.map +1 -0
- package/dist/detect/ast-rules/security-headers-ast.d.ts +14 -0
- package/dist/detect/ast-rules/security-headers-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/security-headers-ast.js +187 -0
- package/dist/detect/ast-rules/security-headers-ast.js.map +1 -0
- package/dist/detect/ast-rules/sql-injection-ast.d.ts +17 -0
- package/dist/detect/ast-rules/sql-injection-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/sql-injection-ast.js +497 -0
- package/dist/detect/ast-rules/sql-injection-ast.js.map +1 -0
- package/dist/detect/ast-rules/ssrf-ast.d.ts +14 -0
- package/dist/detect/ast-rules/ssrf-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/ssrf-ast.js +573 -0
- package/dist/detect/ast-rules/ssrf-ast.js.map +1 -0
- package/dist/detect/ast-rules/taint-fix-templates.d.ts +18 -0
- package/dist/detect/ast-rules/taint-fix-templates.d.ts.map +1 -0
- package/dist/detect/ast-rules/taint-fix-templates.js +92 -0
- package/dist/detect/ast-rules/taint-fix-templates.js.map +1 -0
- package/dist/detect/ast-rules/taint-flow-ast.d.ts +24 -0
- package/dist/detect/ast-rules/taint-flow-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/taint-flow-ast.js +340 -0
- package/dist/detect/ast-rules/taint-flow-ast.js.map +1 -0
- package/dist/detect/ast-rules/variables-ast.d.ts +24 -0
- package/dist/detect/ast-rules/variables-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/variables-ast.js +362 -0
- package/dist/detect/ast-rules/variables-ast.js.map +1 -0
- package/dist/detect/ast-rules/weak-crypto-ast.d.ts +15 -0
- package/dist/detect/ast-rules/weak-crypto-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/weak-crypto-ast.js +406 -0
- package/dist/detect/ast-rules/weak-crypto-ast.js.map +1 -0
- package/dist/detect/ast-rules/xxe-ast.d.ts +13 -0
- package/dist/detect/ast-rules/xxe-ast.d.ts.map +1 -0
- package/dist/detect/ast-rules/xxe-ast.js +157 -0
- package/dist/detect/ast-rules/xxe-ast.js.map +1 -0
- package/dist/detect/config/agent-skill-injection.d.ts.map +1 -1
- package/dist/detect/config/agent-skill-injection.js +2 -24
- package/dist/detect/config/agent-skill-injection.js.map +1 -1
- package/dist/detect/config/index.d.ts +1 -0
- package/dist/detect/config/index.d.ts.map +1 -1
- package/dist/detect/config/index.js +3 -1
- package/dist/detect/config/index.js.map +1 -1
- package/dist/detect/config/osv-check.d.ts.map +1 -1
- package/dist/detect/config/osv-check.js +6 -1
- package/dist/detect/config/osv-check.js.map +1 -1
- package/dist/detect/config/package-check.d.ts.map +1 -1
- package/dist/detect/config/package-check.js +6 -1
- package/dist/detect/config/package-check.js.map +1 -1
- package/dist/detect/config/rules-file-backdoor.d.ts +36 -0
- package/dist/detect/config/rules-file-backdoor.d.ts.map +1 -0
- package/dist/detect/config/rules-file-backdoor.js +379 -0
- package/dist/detect/config/rules-file-backdoor.js.map +1 -0
- package/dist/detect/index.d.ts +43 -6
- package/dist/detect/index.d.ts.map +1 -1
- package/dist/detect/index.js +70 -7
- package/dist/detect/index.js.map +1 -1
- package/dist/detect/secrets/config-audit.d.ts.map +1 -1
- package/dist/detect/secrets/config-audit.js +36 -3
- package/dist/detect/secrets/config-audit.js.map +1 -1
- package/dist/detect/secrets/entropy.d.ts.map +1 -1
- package/dist/detect/secrets/entropy.js +180 -0
- package/dist/detect/secrets/entropy.js.map +1 -1
- package/dist/detect/secrets/index.d.ts +0 -2
- package/dist/detect/secrets/index.d.ts.map +1 -1
- package/dist/detect/secrets/index.js +7 -17
- package/dist/detect/secrets/index.js.map +1 -1
- package/dist/detect/structural/index.d.ts +15 -28
- package/dist/detect/structural/index.d.ts.map +1 -1
- package/dist/detect/structural/index.js +20 -497
- package/dist/detect/structural/index.js.map +1 -1
- package/dist/index.d.ts +3 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -1
- package/dist/index.js.map +1 -1
- package/dist/model/auth-helper-detector.d.ts.map +1 -1
- package/dist/model/auth-helper-detector.js +2 -7
- package/dist/model/auth-helper-detector.js.map +1 -1
- package/dist/model/import-resolver.d.ts.map +1 -1
- package/dist/model/import-resolver.js +94 -0
- package/dist/model/import-resolver.js.map +1 -1
- package/dist/model/imported-auth-detector.js +8 -8
- package/dist/model/imported-auth-detector.js.map +1 -1
- package/dist/model/index.d.ts +8 -0
- package/dist/model/index.d.ts.map +1 -1
- package/dist/model/index.js +198 -73
- package/dist/model/index.js.map +1 -1
- package/dist/model/module-graph.d.ts.map +1 -1
- package/dist/model/module-graph.js +22 -9
- package/dist/model/module-graph.js.map +1 -1
- package/dist/model/project-context.d.ts +1 -1
- package/dist/model/project-context.d.ts.map +1 -1
- package/dist/model/project-context.js +34 -0
- package/dist/model/project-context.js.map +1 -1
- package/dist/model/route-auth-resolver.d.ts.map +1 -1
- package/dist/model/route-auth-resolver.js +17 -2
- package/dist/model/route-auth-resolver.js.map +1 -1
- package/dist/model/route-discovery/index.js +1 -1
- package/dist/model/route-discovery/index.js.map +1 -1
- package/dist/model/route-discovery/nextjs.js +1 -1
- package/dist/model/route-discovery/nextjs.js.map +1 -1
- package/dist/model/route-discovery/python.d.ts +6 -3
- package/dist/model/route-discovery/python.d.ts.map +1 -1
- package/dist/model/route-discovery/python.js +132 -9
- package/dist/model/route-discovery/python.js.map +1 -1
- package/dist/model/route-discovery/types.d.ts +1 -1
- package/dist/model/route-discovery/types.d.ts.map +1 -1
- package/dist/model/route-discovery/utils.d.ts +8 -0
- package/dist/model/route-discovery/utils.d.ts.map +1 -1
- package/dist/model/route-discovery/utils.js +70 -0
- package/dist/model/route-discovery/utils.js.map +1 -1
- package/dist/model/taint-types.d.ts +0 -4
- package/dist/model/taint-types.d.ts.map +1 -1
- package/dist/parse/ast.d.ts +58 -0
- package/dist/parse/ast.d.ts.map +1 -0
- package/dist/parse/ast.js +230 -0
- package/dist/parse/ast.js.map +1 -0
- package/dist/parse/call-graph.d.ts +41 -0
- package/dist/parse/call-graph.d.ts.map +1 -0
- package/dist/parse/call-graph.js +386 -0
- package/dist/parse/call-graph.js.map +1 -0
- package/dist/parse/file-classifier.d.ts +11 -0
- package/dist/parse/file-classifier.d.ts.map +1 -1
- package/dist/parse/file-classifier.js +63 -15
- package/dist/parse/file-classifier.js.map +1 -1
- package/dist/parse/node-index.d.ts +32 -0
- package/dist/parse/node-index.d.ts.map +1 -0
- package/dist/parse/node-index.js +103 -0
- package/dist/parse/node-index.js.map +1 -0
- package/dist/parse/type-extractor.d.ts +50 -0
- package/dist/parse/type-extractor.d.ts.map +1 -0
- package/dist/parse/type-extractor.js +243 -0
- package/dist/parse/type-extractor.js.map +1 -0
- package/dist/pipeline/config.d.ts +7 -1
- package/dist/pipeline/config.d.ts.map +1 -1
- package/dist/pipeline/config.js.map +1 -1
- package/dist/pipeline/index.d.ts +3 -3
- package/dist/pipeline/index.d.ts.map +1 -1
- package/dist/pipeline/index.js +192 -64
- package/dist/pipeline/index.js.map +1 -1
- package/dist/pipeline/modes/incremental.d.ts.map +1 -1
- package/dist/pipeline/modes/incremental.js +2 -7
- package/dist/pipeline/modes/incremental.js.map +1 -1
- package/dist/postprocess/dedup.d.ts +5 -2
- package/dist/postprocess/dedup.d.ts.map +1 -1
- package/dist/postprocess/dedup.js +47 -16
- package/dist/postprocess/dedup.js.map +1 -1
- package/dist/report/build-result.d.ts +9 -4
- package/dist/report/build-result.d.ts.map +1 -1
- package/dist/report/build-result.js +15 -4
- package/dist/report/build-result.js.map +1 -1
- package/dist/report/formatters/cli-terminal.d.ts +1 -1
- package/dist/report/formatters/cli-terminal.d.ts.map +1 -1
- package/dist/report/formatters/cli-terminal.js +434 -231
- package/dist/report/formatters/cli-terminal.js.map +1 -1
- package/dist/report/sanitize.d.ts +10 -0
- package/dist/report/sanitize.d.ts.map +1 -0
- package/dist/report/sanitize.js +19 -0
- package/dist/report/sanitize.js.map +1 -0
- package/dist/score/adjustments.d.ts +20 -2
- package/dist/score/adjustments.d.ts.map +1 -1
- package/dist/score/adjustments.js +108 -37
- package/dist/score/adjustments.js.map +1 -1
- package/dist/score/confidence.d.ts +6 -0
- package/dist/score/confidence.d.ts.map +1 -1
- package/dist/score/confidence.js +10 -4
- package/dist/score/confidence.js.map +1 -1
- package/dist/score/evidence.d.ts +25 -0
- package/dist/score/evidence.d.ts.map +1 -0
- package/dist/score/evidence.js +51 -0
- package/dist/score/evidence.js.map +1 -0
- package/dist/score/index.d.ts +3 -1
- package/dist/score/index.d.ts.map +1 -1
- package/dist/score/index.js +25 -50
- package/dist/score/index.js.map +1 -1
- package/dist/score/types.d.ts +5 -1
- package/dist/score/types.d.ts.map +1 -1
- package/dist/shared/category-filter.d.ts.map +1 -1
- package/dist/shared/category-filter.js +12 -0
- package/dist/shared/category-filter.js.map +1 -1
- package/dist/shared/regex-utils.d.ts +3 -0
- package/dist/shared/regex-utils.d.ts.map +1 -0
- package/dist/shared/regex-utils.js +8 -0
- package/dist/shared/regex-utils.js.map +1 -0
- package/dist/shared/registry-clients.d.ts +7 -0
- package/dist/shared/registry-clients.d.ts.map +1 -1
- package/dist/shared/registry-clients.js +94 -17
- package/dist/shared/registry-clients.js.map +1 -1
- package/dist/shared/rules/metadata.d.ts.map +1 -1
- package/dist/shared/rules/metadata.js +17 -0
- package/dist/shared/rules/metadata.js.map +1 -1
- package/dist/shared/types.d.ts +59 -15
- package/dist/shared/types.d.ts.map +1 -1
- package/dist/shared/types.js +38 -21
- package/dist/shared/types.js.map +1 -1
- package/dist/taint/async-flow.d.ts +44 -0
- package/dist/taint/async-flow.d.ts.map +1 -0
- package/dist/taint/async-flow.js +271 -0
- package/dist/taint/async-flow.js.map +1 -0
- package/dist/taint/cfg-builder.d.ts +35 -0
- package/dist/taint/cfg-builder.d.ts.map +1 -0
- package/dist/taint/cfg-builder.js +980 -0
- package/dist/taint/cfg-builder.js.map +1 -0
- package/dist/taint/cfg-types.d.ts +76 -0
- package/dist/taint/cfg-types.d.ts.map +1 -0
- package/dist/taint/cfg-types.js +13 -0
- package/dist/taint/cfg-types.js.map +1 -0
- package/dist/taint/constant-propagation.d.ts +34 -0
- package/dist/taint/constant-propagation.d.ts.map +1 -0
- package/dist/taint/constant-propagation.js +164 -0
- package/dist/taint/constant-propagation.js.map +1 -0
- package/dist/taint/cross-file-analyzer.d.ts +27 -0
- package/dist/taint/cross-file-analyzer.d.ts.map +1 -0
- package/dist/taint/cross-file-analyzer.js +99 -0
- package/dist/taint/cross-file-analyzer.js.map +1 -0
- package/dist/taint/cross-file-index.d.ts +59 -0
- package/dist/taint/cross-file-index.d.ts.map +1 -0
- package/dist/taint/cross-file-index.js +183 -0
- package/dist/taint/cross-file-index.js.map +1 -0
- package/dist/taint/def-use.d.ts +27 -0
- package/dist/taint/def-use.d.ts.map +1 -0
- package/dist/taint/def-use.js +519 -0
- package/dist/taint/def-use.js.map +1 -0
- package/dist/taint/file-analysis-cache.d.ts +47 -0
- package/dist/taint/file-analysis-cache.d.ts.map +1 -0
- package/dist/taint/file-analysis-cache.js +107 -0
- package/dist/taint/file-analysis-cache.js.map +1 -0
- package/dist/taint/framework-models.d.ts +77 -0
- package/dist/taint/framework-models.d.ts.map +1 -0
- package/dist/taint/framework-models.js +258 -0
- package/dist/taint/framework-models.js.map +1 -0
- package/dist/taint/helpers.d.ts +31 -0
- package/dist/taint/helpers.d.ts.map +1 -0
- package/dist/taint/helpers.js +130 -0
- package/dist/taint/helpers.js.map +1 -0
- package/dist/taint/index.d.ts +28 -0
- package/dist/taint/index.d.ts.map +1 -0
- package/dist/taint/index.js +77 -0
- package/dist/taint/index.js.map +1 -0
- package/dist/taint/llm-registry.d.ts +47 -0
- package/dist/taint/llm-registry.d.ts.map +1 -0
- package/dist/taint/llm-registry.js +152 -0
- package/dist/taint/llm-registry.js.map +1 -0
- package/dist/taint/llm-risk-scoring.d.ts +54 -0
- package/dist/taint/llm-risk-scoring.d.ts.map +1 -0
- package/dist/taint/llm-risk-scoring.js +376 -0
- package/dist/taint/llm-risk-scoring.js.map +1 -0
- package/dist/taint/propagation-types.d.ts +104 -0
- package/dist/taint/propagation-types.d.ts.map +1 -0
- package/dist/taint/propagation-types.js +98 -0
- package/dist/taint/propagation-types.js.map +1 -0
- package/dist/taint/propagation.d.ts +111 -0
- package/dist/taint/propagation.d.ts.map +1 -0
- package/dist/taint/propagation.js +1576 -0
- package/dist/taint/propagation.js.map +1 -0
- package/dist/taint/sanitizer-registry.d.ts +26 -0
- package/dist/taint/sanitizer-registry.d.ts.map +1 -0
- package/dist/taint/sanitizer-registry.js +422 -0
- package/dist/taint/sanitizer-registry.js.map +1 -0
- package/dist/taint/sink-classifier.d.ts +27 -0
- package/dist/taint/sink-classifier.d.ts.map +1 -0
- package/dist/taint/sink-classifier.js +1166 -0
- package/dist/taint/sink-classifier.js.map +1 -0
- package/dist/taint/source-classifier.d.ts +29 -0
- package/dist/taint/source-classifier.d.ts.map +1 -0
- package/dist/taint/source-classifier.js +814 -0
- package/dist/taint/source-classifier.js.map +1 -0
- package/dist/taint/taint-analyzer.d.ts +33 -0
- package/dist/taint/taint-analyzer.d.ts.map +1 -0
- package/dist/taint/taint-analyzer.js +88 -0
- package/dist/taint/taint-analyzer.js.map +1 -0
- package/dist/taint/taint-summary.d.ts +37 -0
- package/dist/taint/taint-summary.d.ts.map +1 -0
- package/dist/taint/taint-summary.js +293 -0
- package/dist/taint/taint-summary.js.map +1 -0
- package/dist/taint/types.d.ts +47 -0
- package/dist/taint/types.d.ts.map +1 -0
- package/dist/taint/types.js +19 -0
- package/dist/taint/types.js.map +1 -0
- package/dist/validate/clients.d.ts +2 -1
- package/dist/validate/clients.d.ts.map +1 -1
- package/dist/validate/clients.js +3 -2
- package/dist/validate/clients.js.map +1 -1
- package/dist/validate/index.d.ts +5 -6
- package/dist/validate/index.d.ts.map +1 -1
- package/dist/validate/index.js +22 -21
- package/dist/validate/index.js.map +1 -1
- package/dist/validate/prompts/modules/ai-patterns.d.ts +1 -1
- package/dist/validate/prompts/modules/ai-patterns.d.ts.map +1 -1
- package/dist/validate/prompts/modules/ai-patterns.js +16 -0
- package/dist/validate/prompts/modules/ai-patterns.js.map +1 -1
- package/dist/validate/prompts/modules/common.d.ts +1 -1
- package/dist/validate/prompts/modules/common.d.ts.map +1 -1
- package/dist/validate/prompts/modules/common.js +12 -3
- package/dist/validate/prompts/modules/common.js.map +1 -1
- package/dist/validate/providers/anthropic.d.ts +4 -4
- package/dist/validate/providers/anthropic.d.ts.map +1 -1
- package/dist/validate/providers/anthropic.js +85 -58
- package/dist/validate/providers/anthropic.js.map +1 -1
- package/dist/validate/providers/openai.d.ts +4 -4
- package/dist/validate/providers/openai.d.ts.map +1 -1
- package/dist/validate/providers/openai.js +149 -99
- package/dist/validate/providers/openai.js.map +1 -1
- package/dist/validate/request-builder.d.ts +2 -8
- package/dist/validate/request-builder.d.ts.map +1 -1
- package/dist/validate/request-builder.js +4 -34
- package/dist/validate/request-builder.js.map +1 -1
- package/dist/validate/types.d.ts +9 -0
- package/dist/validate/types.d.ts.map +1 -1
- package/dist/validate/types.js.map +1 -1
- package/dist/validate/utils/path-helpers.js +2 -2
- package/dist/validate/utils/path-helpers.js.map +1 -1
- package/dist/validate/utils/response-parser.d.ts +10 -0
- package/dist/validate/utils/response-parser.d.ts.map +1 -1
- package/dist/validate/utils/response-parser.js +21 -2
- package/dist/validate/utils/response-parser.js.map +1 -1
- package/dist/validate/utils/retry.d.ts.map +1 -1
- package/dist/validate/utils/retry.js +19 -4
- package/dist/validate/utils/retry.js.map +1 -1
- package/package.json +7 -4
- package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1 -1
- package/src/__tests__/benchmark/planted-benchmark.test.ts +337 -0
- package/src/__tests__/benchmark/utils/test-runner.ts +38 -4
- package/src/__tests__/category-filter.test.ts +5 -1
- package/src/__tests__/context-engine/route-discovery/python.test.ts +726 -0
- package/src/__tests__/detect/ast-rules.test.ts +1043 -0
- package/src/__tests__/detect/offline-mode.test.ts +147 -0
- package/src/__tests__/detect/python-ast-rules.test.ts +569 -0
- package/src/__tests__/detect/python-helpers.test.ts +536 -0
- package/src/__tests__/detect/python-sast-rules.test.ts +453 -0
- package/src/__tests__/detect/rules-file-backdoor-decoders.test.ts +151 -0
- package/src/__tests__/detect/rules-file-backdoor.test.ts +284 -0
- package/src/__tests__/detect/taint-fix-templates.test.ts +150 -0
- package/src/__tests__/detect/taint-path-serialization.test.ts +170 -0
- package/src/__tests__/parse/call-graph.test.ts +300 -0
- package/src/__tests__/parse/python-parser.test.ts +274 -0
- package/src/__tests__/regression/known-false-positives.test.ts +491 -9
- package/src/__tests__/regression/rules-file-backdoor.test.ts +137 -0
- package/src/__tests__/score/adjustments.test.ts +34 -16
- package/src/__tests__/score/confidence.test.ts +84 -57
- package/src/__tests__/score/evidence-scoring.test.ts +249 -0
- package/src/__tests__/score/evidence.test.ts +144 -0
- package/src/__tests__/score/scoring-integration.test.ts +56 -34
- package/src/__tests__/score/taint-adjustments.test.ts +14 -228
- package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +65 -59
- package/src/__tests__/snapshots/scan-depth.test.ts +39 -7
- package/src/__tests__/taint/async-flow.test.ts +247 -0
- package/src/__tests__/taint/cfg-builder.test.ts +835 -0
- package/src/__tests__/taint/constant-propagation.test.ts +302 -0
- package/src/__tests__/taint/cross-file-index.test.ts +683 -0
- package/src/__tests__/taint/cross-file-integration.test.ts +275 -0
- package/src/__tests__/taint/cross-file-propagation.test.ts +910 -0
- package/src/__tests__/taint/def-use.test.ts +132 -0
- package/src/__tests__/taint/field-sensitive-sinks.test.ts +179 -0
- package/src/__tests__/taint/field-sensitivity.test.ts +342 -0
- package/src/__tests__/taint/file-analysis-cache.test.ts +290 -0
- package/src/__tests__/taint/framework-models.test.ts +227 -0
- package/src/__tests__/taint/llm-flow-graph.test.ts +850 -0
- package/src/__tests__/taint/llm-risk-scoring.test.ts +439 -0
- package/src/__tests__/taint/performance-parity.test.ts +315 -0
- package/src/__tests__/taint/propagation.test.ts +621 -0
- package/src/__tests__/taint/python-cross-file.test.ts +494 -0
- package/src/__tests__/taint/python-taint.test.ts +1344 -0
- package/src/__tests__/taint/sanitizer-registry.test.ts +304 -0
- package/src/__tests__/taint/sanitizer-regression.test.ts +111 -0
- package/src/__tests__/taint/sink-classifier.test.ts +537 -0
- package/src/__tests__/taint/source-classifier.test.ts +367 -0
- package/src/__tests__/taint/taint-pipeline.test.ts +418 -0
- package/src/__tests__/taint/taint-smoke.test.ts +400 -0
- package/src/__tests__/taint/taint-summary.test.ts +472 -0
- package/src/detect/ai-code/index.ts +6 -11
- package/src/detect/ast-rules/agent-tools-ast.ts +861 -0
- package/src/detect/ast-rules/ai-fingerprinting-ast.ts +451 -0
- package/src/detect/ast-rules/auth-patterns-ast.ts +304 -0
- package/src/detect/ast-rules/byok-ast.ts +195 -0
- package/src/detect/ast-rules/child-process-ast.ts +276 -0
- package/src/detect/ast-rules/dangerous-eval-ast.ts +227 -0
- package/src/detect/ast-rules/data-exposure-ast.ts +162 -0
- package/src/detect/ast-rules/dom-xss-ast.ts +260 -0
- package/src/detect/ast-rules/endpoint-protection-ast.ts +231 -0
- package/src/detect/ast-rules/entropy-ast.ts +268 -0
- package/src/detect/ast-rules/flask-debug-ast.ts +148 -0
- package/src/detect/ast-rules/framework-checks-ast.ts +200 -0
- package/src/detect/ast-rules/helpers/call-analysis.ts +256 -0
- package/src/detect/ast-rules/helpers/context-detection.ts +277 -0
- package/src/detect/ast-rules/helpers/control-flow.ts +179 -0
- package/src/detect/ast-rules/helpers/import-analysis.ts +185 -0
- package/src/detect/ast-rules/helpers/index.ts +133 -0
- package/src/detect/ast-rules/helpers/python-helpers.ts +1054 -0
- package/src/detect/ast-rules/helpers/scope-analysis.ts +224 -0
- package/src/detect/ast-rules/helpers/string-analysis.ts +215 -0
- package/src/detect/ast-rules/helpers/type-extraction.ts +138 -0
- package/src/detect/ast-rules/helpers/user-input.ts +256 -0
- package/src/detect/ast-rules/index.ts +311 -0
- package/src/detect/ast-rules/json-parse-ast.ts +162 -0
- package/src/detect/ast-rules/log-injection-ast.ts +243 -0
- package/src/detect/ast-rules/logic-gates-ast.ts +343 -0
- package/src/detect/ast-rules/mcp-security-ast.ts +808 -0
- package/src/detect/ast-rules/model-supply-chain-ast.ts +202 -0
- package/src/detect/ast-rules/package-hallucination-ast.ts +664 -0
- package/src/detect/ast-rules/prompt-hygiene-ast.ts +329 -0
- package/src/detect/ast-rules/rag-safety-ast.ts +689 -0
- package/src/detect/ast-rules/request-validation-ast.ts +122 -0
- package/src/detect/ast-rules/risky-imports-ast.ts +133 -0
- package/src/detect/ast-rules/schema-validation-ast.ts +244 -0
- package/src/detect/ast-rules/secret-patterns-ast.ts +223 -0
- package/src/detect/ast-rules/security-headers-ast.ts +206 -0
- package/src/detect/ast-rules/sql-injection-ast.ts +614 -0
- package/src/detect/ast-rules/ssrf-ast.ts +601 -0
- package/src/detect/ast-rules/taint-fix-templates.ts +108 -0
- package/src/detect/ast-rules/taint-flow-ast.ts +416 -0
- package/src/detect/ast-rules/variables-ast.ts +446 -0
- package/src/detect/ast-rules/weak-crypto-ast.ts +441 -0
- package/src/detect/ast-rules/xxe-ast.ts +184 -0
- package/src/detect/config/agent-skill-injection.ts +2 -24
- package/src/detect/config/index.ts +1 -0
- package/src/detect/config/osv-check.ts +6 -1
- package/src/detect/config/package-check.ts +6 -1
- package/src/detect/config/rules-file-backdoor.ts +438 -0
- package/src/detect/index.ts +146 -52
- package/src/detect/secrets/config-audit.ts +37 -3
- package/src/detect/secrets/entropy.ts +195 -0
- package/src/detect/secrets/index.ts +7 -16
- package/src/detect/structural/index.ts +23 -566
- package/src/index.ts +7 -0
- package/src/model/auth-helper-detector.ts +1 -7
- package/src/model/import-resolver.ts +104 -0
- package/src/model/imported-auth-detector.ts +1 -1
- package/src/model/index.ts +240 -80
- package/src/model/module-graph.ts +17 -5
- package/src/model/project-context.ts +28 -1
- package/src/model/route-auth-resolver.ts +18 -3
- package/src/model/route-discovery/index.ts +1 -1
- package/src/model/route-discovery/nextjs.ts +1 -1
- package/src/model/route-discovery/python.ts +156 -9
- package/src/model/route-discovery/types.ts +1 -1
- package/src/model/route-discovery/utils.ts +73 -0
- package/src/model/taint-types.ts +1 -6
- package/src/parse/ast.ts +271 -0
- package/src/parse/call-graph.ts +419 -0
- package/src/parse/file-classifier.ts +69 -15
- package/src/parse/node-index.ts +118 -0
- package/src/parse/type-extractor.ts +293 -0
- package/src/pipeline/config.ts +7 -0
- package/src/pipeline/index.ts +464 -199
- package/src/pipeline/modes/incremental.ts +1 -7
- package/src/postprocess/dedup.ts +48 -17
- package/src/report/build-result.ts +57 -29
- package/src/report/formatters/cli-terminal.ts +731 -415
- package/src/report/sanitize.ts +27 -0
- package/src/score/adjustments.ts +113 -40
- package/src/score/confidence.ts +10 -5
- package/src/score/evidence.ts +55 -0
- package/src/score/index.ts +27 -55
- package/src/score/types.ts +4 -0
- package/src/shared/category-filter.ts +12 -0
- package/src/shared/regex-utils.ts +4 -0
- package/src/shared/registry-clients.ts +106 -18
- package/src/shared/rules/__tests__/metadata.test.ts +5 -1
- package/src/shared/rules/metadata.ts +19 -0
- package/src/shared/types.ts +372 -253
- package/src/taint/async-flow.ts +301 -0
- package/src/taint/cfg-builder.ts +1127 -0
- package/src/taint/cfg-types.ts +110 -0
- package/src/taint/constant-propagation.ts +170 -0
- package/src/taint/cross-file-analyzer.ts +118 -0
- package/src/taint/cross-file-index.ts +275 -0
- package/src/taint/def-use.ts +556 -0
- package/src/taint/file-analysis-cache.ts +145 -0
- package/src/taint/framework-models.ts +313 -0
- package/src/taint/helpers.ts +138 -0
- package/src/taint/index.ts +71 -0
- package/src/taint/llm-registry.ts +174 -0
- package/src/taint/llm-risk-scoring.ts +412 -0
- package/src/taint/propagation-types.ts +188 -0
- package/src/taint/propagation.ts +1750 -0
- package/src/taint/sanitizer-registry.ts +490 -0
- package/src/taint/sink-classifier.ts +1402 -0
- package/src/taint/source-classifier.ts +859 -0
- package/src/taint/taint-analyzer.ts +112 -0
- package/src/taint/taint-summary.ts +341 -0
- package/src/taint/types.ts +86 -0
- package/src/validate/clients.ts +3 -2
- package/src/validate/index.ts +89 -53
- package/src/validate/prompts/modules/ai-patterns.ts +16 -0
- package/src/validate/prompts/modules/common.ts +12 -3
- package/src/validate/providers/anthropic.ts +254 -148
- package/src/validate/providers/openai.ts +363 -218
- package/src/validate/request-builder.ts +2 -45
- package/src/validate/types.ts +9 -0
- package/src/validate/utils/path-helpers.ts +2 -2
- package/src/validate/utils/response-parser.ts +32 -3
- package/src/validate/utils/retry.ts +19 -4
- package/dist/ai-context/index.d.ts +0 -6
- package/dist/ai-context/index.d.ts.map +0 -1
- package/dist/ai-context/index.js +0 -13
- package/dist/ai-context/index.js.map +0 -1
- package/dist/ai-context/manager.d.ts +0 -67
- package/dist/ai-context/manager.d.ts.map +0 -1
- package/dist/ai-context/manager.js +0 -104
- package/dist/ai-context/manager.js.map +0 -1
- package/dist/baseline/diff.d.ts +0 -32
- package/dist/baseline/diff.d.ts.map +0 -1
- package/dist/baseline/diff.js +0 -119
- package/dist/baseline/diff.js.map +0 -1
- package/dist/baseline/index.d.ts +0 -9
- package/dist/baseline/index.d.ts.map +0 -1
- package/dist/baseline/index.js +0 -19
- package/dist/baseline/index.js.map +0 -1
- package/dist/baseline/manager.d.ts +0 -67
- package/dist/baseline/manager.d.ts.map +0 -1
- package/dist/baseline/manager.js +0 -180
- package/dist/baseline/manager.js.map +0 -1
- package/dist/baseline/types.d.ts +0 -91
- package/dist/baseline/types.d.ts.map +0 -1
- package/dist/baseline/types.js +0 -12
- package/dist/baseline/types.js.map +0 -1
- package/dist/category-filter.d.ts +0 -125
- package/dist/category-filter.d.ts.map +0 -1
- package/dist/category-filter.js +0 -360
- package/dist/category-filter.js.map +0 -1
- package/dist/detect/ai-code/agent-tools.d.ts +0 -22
- package/dist/detect/ai-code/agent-tools.d.ts.map +0 -1
- package/dist/detect/ai-code/agent-tools.js +0 -1509
- package/dist/detect/ai-code/agent-tools.js.map +0 -1
- package/dist/detect/ai-code/byok-patterns.d.ts +0 -15
- package/dist/detect/ai-code/byok-patterns.d.ts.map +0 -1
- package/dist/detect/ai-code/byok-patterns.js +0 -313
- package/dist/detect/ai-code/byok-patterns.js.map +0 -1
- package/dist/detect/ai-code/endpoint-protection.d.ts +0 -38
- package/dist/detect/ai-code/endpoint-protection.d.ts.map +0 -1
- package/dist/detect/ai-code/endpoint-protection.js +0 -349
- package/dist/detect/ai-code/endpoint-protection.js.map +0 -1
- package/dist/detect/ai-code/execution-sinks.d.ts +0 -21
- package/dist/detect/ai-code/execution-sinks.d.ts.map +0 -1
- package/dist/detect/ai-code/execution-sinks.js +0 -1158
- package/dist/detect/ai-code/execution-sinks.js.map +0 -1
- package/dist/detect/ai-code/fingerprinting.d.ts +0 -10
- package/dist/detect/ai-code/fingerprinting.d.ts.map +0 -1
- package/dist/detect/ai-code/fingerprinting.js +0 -665
- package/dist/detect/ai-code/fingerprinting.js.map +0 -1
- package/dist/detect/ai-code/mcp-security.d.ts +0 -20
- package/dist/detect/ai-code/mcp-security.d.ts.map +0 -1
- package/dist/detect/ai-code/mcp-security.js +0 -880
- package/dist/detect/ai-code/mcp-security.js.map +0 -1
- package/dist/detect/ai-code/model-supply-chain.d.ts +0 -23
- package/dist/detect/ai-code/model-supply-chain.d.ts.map +0 -1
- package/dist/detect/ai-code/model-supply-chain.js +0 -447
- package/dist/detect/ai-code/model-supply-chain.js.map +0 -1
- package/dist/detect/ai-code/package-hallucination.d.ts +0 -22
- package/dist/detect/ai-code/package-hallucination.d.ts.map +0 -1
- package/dist/detect/ai-code/package-hallucination.js +0 -841
- package/dist/detect/ai-code/package-hallucination.js.map +0 -1
- package/dist/detect/ai-code/prompt-hygiene.d.ts +0 -22
- package/dist/detect/ai-code/prompt-hygiene.d.ts.map +0 -1
- package/dist/detect/ai-code/prompt-hygiene.js +0 -1177
- package/dist/detect/ai-code/prompt-hygiene.js.map +0 -1
- package/dist/detect/ai-code/rag-safety.d.ts +0 -24
- package/dist/detect/ai-code/rag-safety.d.ts.map +0 -1
- package/dist/detect/ai-code/rag-safety.js +0 -913
- package/dist/detect/ai-code/rag-safety.js.map +0 -1
- package/dist/detect/ai-code/schema-validation.d.ts +0 -28
- package/dist/detect/ai-code/schema-validation.d.ts.map +0 -1
- package/dist/detect/ai-code/schema-validation.js +0 -378
- package/dist/detect/ai-code/schema-validation.js.map +0 -1
- package/dist/detect/secrets/patterns.d.ts +0 -11
- package/dist/detect/secrets/patterns.d.ts.map +0 -1
- package/dist/detect/secrets/patterns.js +0 -518
- package/dist/detect/secrets/patterns.js.map +0 -1
- package/dist/detect/secrets/weak-crypto.d.ts +0 -10
- package/dist/detect/secrets/weak-crypto.d.ts.map +0 -1
- package/dist/detect/secrets/weak-crypto.js +0 -432
- package/dist/detect/secrets/weak-crypto.js.map +0 -1
- package/dist/detect/structural/auth-patterns.d.ts +0 -22
- package/dist/detect/structural/auth-patterns.d.ts.map +0 -1
- package/dist/detect/structural/auth-patterns.js +0 -533
- package/dist/detect/structural/auth-patterns.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/child-process.d.ts +0 -16
- package/dist/detect/structural/dangerous-functions/child-process.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/child-process.js +0 -74
- package/dist/detect/structural/dangerous-functions/child-process.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts +0 -34
- package/dist/detect/structural/dangerous-functions/dom-xss.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/dom-xss.js +0 -230
- package/dist/detect/structural/dangerous-functions/dom-xss.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/index.d.ts +0 -16
- package/dist/detect/structural/dangerous-functions/index.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/index.js +0 -1193
- package/dist/detect/structural/dangerous-functions/index.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts +0 -31
- package/dist/detect/structural/dangerous-functions/json-parse.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/json-parse.js +0 -326
- package/dist/detect/structural/dangerous-functions/json-parse.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/math-random.d.ts +0 -111
- package/dist/detect/structural/dangerous-functions/math-random.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/math-random.js +0 -684
- package/dist/detect/structural/dangerous-functions/math-random.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/patterns.d.ts +0 -21
- package/dist/detect/structural/dangerous-functions/patterns.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/patterns.js +0 -163
- package/dist/detect/structural/dangerous-functions/patterns.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts +0 -13
- package/dist/detect/structural/dangerous-functions/request-validation.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/request-validation.js +0 -126
- package/dist/detect/structural/dangerous-functions/request-validation.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts +0 -24
- package/dist/detect/structural/dangerous-functions/utils/control-flow.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js +0 -70
- package/dist/detect/structural/dangerous-functions/utils/control-flow.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts +0 -31
- package/dist/detect/structural/dangerous-functions/utils/helpers.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/helpers.js +0 -147
- package/dist/detect/structural/dangerous-functions/utils/helpers.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts +0 -9
- package/dist/detect/structural/dangerous-functions/utils/index.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/index.js +0 -23
- package/dist/detect/structural/dangerous-functions/utils/index.js.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts +0 -22
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.d.ts.map +0 -1
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js +0 -102
- package/dist/detect/structural/dangerous-functions/utils/schema-validation.js.map +0 -1
- package/dist/detect/structural/data-exposure.d.ts +0 -19
- package/dist/detect/structural/data-exposure.d.ts.map +0 -1
- package/dist/detect/structural/data-exposure.js +0 -262
- package/dist/detect/structural/data-exposure.js.map +0 -1
- package/dist/detect/structural/framework-checks.d.ts +0 -10
- package/dist/detect/structural/framework-checks.d.ts.map +0 -1
- package/dist/detect/structural/framework-checks.js +0 -389
- package/dist/detect/structural/framework-checks.js.map +0 -1
- package/dist/detect/structural/log-injection.d.ts +0 -18
- package/dist/detect/structural/log-injection.d.ts.map +0 -1
- package/dist/detect/structural/log-injection.js +0 -217
- package/dist/detect/structural/log-injection.js.map +0 -1
- package/dist/detect/structural/logic-gates.d.ts +0 -10
- package/dist/detect/structural/logic-gates.d.ts.map +0 -1
- package/dist/detect/structural/logic-gates.js +0 -227
- package/dist/detect/structural/logic-gates.js.map +0 -1
- package/dist/detect/structural/risky-imports.d.ts +0 -10
- package/dist/detect/structural/risky-imports.d.ts.map +0 -1
- package/dist/detect/structural/risky-imports.js +0 -168
- package/dist/detect/structural/risky-imports.js.map +0 -1
- package/dist/detect/structural/security-headers.d.ts +0 -18
- package/dist/detect/structural/security-headers.d.ts.map +0 -1
- package/dist/detect/structural/security-headers.js +0 -196
- package/dist/detect/structural/security-headers.js.map +0 -1
- package/dist/detect/structural/ssrf-detection.d.ts +0 -18
- package/dist/detect/structural/ssrf-detection.d.ts.map +0 -1
- package/dist/detect/structural/ssrf-detection.js +0 -263
- package/dist/detect/structural/ssrf-detection.js.map +0 -1
- package/dist/detect/structural/variables.d.ts +0 -11
- package/dist/detect/structural/variables.d.ts.map +0 -1
- package/dist/detect/structural/variables.js +0 -159
- package/dist/detect/structural/variables.js.map +0 -1
- package/dist/detect/structural/xxe-detection.d.ts +0 -18
- package/dist/detect/structural/xxe-detection.d.ts.map +0 -1
- package/dist/detect/structural/xxe-detection.js +0 -245
- package/dist/detect/structural/xxe-detection.js.map +0 -1
- package/dist/filtering/context-adjustments.d.ts +0 -23
- package/dist/filtering/context-adjustments.d.ts.map +0 -1
- package/dist/filtering/context-adjustments.js +0 -100
- package/dist/filtering/context-adjustments.js.map +0 -1
- package/dist/filtering/index.d.ts +0 -3
- package/dist/filtering/index.d.ts.map +0 -1
- package/dist/filtering/index.js +0 -8
- package/dist/filtering/index.js.map +0 -1
- package/dist/filtering/pipeline.d.ts +0 -48
- package/dist/filtering/pipeline.d.ts.map +0 -1
- package/dist/filtering/pipeline.js +0 -76
- package/dist/filtering/pipeline.js.map +0 -1
- package/dist/formatters/ai-context.d.ts +0 -23
- package/dist/formatters/ai-context.d.ts.map +0 -1
- package/dist/formatters/ai-context.js +0 -238
- package/dist/formatters/ai-context.js.map +0 -1
- package/dist/formatters/cli-terminal.d.ts +0 -65
- package/dist/formatters/cli-terminal.d.ts.map +0 -1
- package/dist/formatters/cli-terminal.js +0 -735
- package/dist/formatters/cli-terminal.js.map +0 -1
- package/dist/formatters/github-comment.d.ts +0 -41
- package/dist/formatters/github-comment.d.ts.map +0 -1
- package/dist/formatters/github-comment.js +0 -370
- package/dist/formatters/github-comment.js.map +0 -1
- package/dist/formatters/grouping.d.ts +0 -52
- package/dist/formatters/grouping.d.ts.map +0 -1
- package/dist/formatters/grouping.js +0 -152
- package/dist/formatters/grouping.js.map +0 -1
- package/dist/formatters/ide/claude-code.d.ts +0 -17
- package/dist/formatters/ide/claude-code.d.ts.map +0 -1
- package/dist/formatters/ide/claude-code.js +0 -94
- package/dist/formatters/ide/claude-code.js.map +0 -1
- package/dist/formatters/ide/cursor.d.ts +0 -13
- package/dist/formatters/ide/cursor.d.ts.map +0 -1
- package/dist/formatters/ide/cursor.js +0 -125
- package/dist/formatters/ide/cursor.js.map +0 -1
- package/dist/formatters/ide/index.d.ts +0 -62
- package/dist/formatters/ide/index.d.ts.map +0 -1
- package/dist/formatters/ide/index.js +0 -184
- package/dist/formatters/ide/index.js.map +0 -1
- package/dist/formatters/ide/windsurf.d.ts +0 -13
- package/dist/formatters/ide/windsurf.d.ts.map +0 -1
- package/dist/formatters/ide/windsurf.js +0 -117
- package/dist/formatters/ide/windsurf.js.map +0 -1
- package/dist/formatters/index.d.ts +0 -11
- package/dist/formatters/index.d.ts.map +0 -1
- package/dist/formatters/index.js +0 -54
- package/dist/formatters/index.js.map +0 -1
- package/dist/formatters/vscode-diagnostic.d.ts +0 -103
- package/dist/formatters/vscode-diagnostic.d.ts.map +0 -1
- package/dist/formatters/vscode-diagnostic.js +0 -151
- package/dist/formatters/vscode-diagnostic.js.map +0 -1
- package/dist/layer1/comments.d.ts +0 -11
- package/dist/layer1/comments.d.ts.map +0 -1
- package/dist/layer1/comments.js +0 -203
- package/dist/layer1/comments.js.map +0 -1
- package/dist/layer1/config-audit.d.ts +0 -11
- package/dist/layer1/config-audit.d.ts.map +0 -1
- package/dist/layer1/config-audit.js +0 -311
- package/dist/layer1/config-audit.js.map +0 -1
- package/dist/layer1/config-mcp-audit.d.ts +0 -23
- package/dist/layer1/config-mcp-audit.d.ts.map +0 -1
- package/dist/layer1/config-mcp-audit.js +0 -239
- package/dist/layer1/config-mcp-audit.js.map +0 -1
- package/dist/layer1/entropy.d.ts +0 -11
- package/dist/layer1/entropy.d.ts.map +0 -1
- package/dist/layer1/entropy.js +0 -741
- package/dist/layer1/entropy.js.map +0 -1
- package/dist/layer1/file-flags.d.ts +0 -10
- package/dist/layer1/file-flags.d.ts.map +0 -1
- package/dist/layer1/file-flags.js +0 -119
- package/dist/layer1/file-flags.js.map +0 -1
- package/dist/layer1/index.d.ts +0 -38
- package/dist/layer1/index.d.ts.map +0 -1
- package/dist/layer1/index.js +0 -170
- package/dist/layer1/index.js.map +0 -1
- package/dist/layer1/patterns.d.ts +0 -11
- package/dist/layer1/patterns.d.ts.map +0 -1
- package/dist/layer1/patterns.js +0 -512
- package/dist/layer1/patterns.js.map +0 -1
- package/dist/layer1/urls.d.ts +0 -11
- package/dist/layer1/urls.d.ts.map +0 -1
- package/dist/layer1/urls.js +0 -444
- package/dist/layer1/urls.js.map +0 -1
- package/dist/layer1/weak-crypto.d.ts +0 -10
- package/dist/layer1/weak-crypto.d.ts.map +0 -1
- package/dist/layer1/weak-crypto.js +0 -428
- package/dist/layer1/weak-crypto.js.map +0 -1
- package/dist/layer2/ai-agent-tools.d.ts +0 -22
- package/dist/layer2/ai-agent-tools.d.ts.map +0 -1
- package/dist/layer2/ai-agent-tools.js +0 -1490
- package/dist/layer2/ai-agent-tools.js.map +0 -1
- package/dist/layer2/ai-endpoint-protection.d.ts +0 -38
- package/dist/layer2/ai-endpoint-protection.d.ts.map +0 -1
- package/dist/layer2/ai-endpoint-protection.js +0 -346
- package/dist/layer2/ai-endpoint-protection.js.map +0 -1
- package/dist/layer2/ai-execution-sinks.d.ts +0 -21
- package/dist/layer2/ai-execution-sinks.d.ts.map +0 -1
- package/dist/layer2/ai-execution-sinks.js +0 -1155
- package/dist/layer2/ai-execution-sinks.js.map +0 -1
- package/dist/layer2/ai-fingerprinting.d.ts +0 -10
- package/dist/layer2/ai-fingerprinting.d.ts.map +0 -1
- package/dist/layer2/ai-fingerprinting.js +0 -650
- package/dist/layer2/ai-fingerprinting.js.map +0 -1
- package/dist/layer2/ai-mcp-security.d.ts +0 -20
- package/dist/layer2/ai-mcp-security.d.ts.map +0 -1
- package/dist/layer2/ai-mcp-security.js +0 -877
- package/dist/layer2/ai-mcp-security.js.map +0 -1
- package/dist/layer2/ai-package-hallucination.d.ts +0 -22
- package/dist/layer2/ai-package-hallucination.d.ts.map +0 -1
- package/dist/layer2/ai-package-hallucination.js +0 -828
- package/dist/layer2/ai-package-hallucination.js.map +0 -1
- package/dist/layer2/ai-prompt-hygiene.d.ts +0 -22
- package/dist/layer2/ai-prompt-hygiene.d.ts.map +0 -1
- package/dist/layer2/ai-prompt-hygiene.js +0 -1156
- package/dist/layer2/ai-prompt-hygiene.js.map +0 -1
- package/dist/layer2/ai-rag-safety.d.ts +0 -24
- package/dist/layer2/ai-rag-safety.d.ts.map +0 -1
- package/dist/layer2/ai-rag-safety.js +0 -910
- package/dist/layer2/ai-rag-safety.js.map +0 -1
- package/dist/layer2/ai-schema-validation.d.ts +0 -28
- package/dist/layer2/ai-schema-validation.d.ts.map +0 -1
- package/dist/layer2/ai-schema-validation.js +0 -375
- package/dist/layer2/ai-schema-validation.js.map +0 -1
- package/dist/layer2/auth-antipatterns.d.ts +0 -22
- package/dist/layer2/auth-antipatterns.d.ts.map +0 -1
- package/dist/layer2/auth-antipatterns.js +0 -522
- package/dist/layer2/auth-antipatterns.js.map +0 -1
- package/dist/layer2/byok-patterns.d.ts +0 -15
- package/dist/layer2/byok-patterns.d.ts.map +0 -1
- package/dist/layer2/byok-patterns.js +0 -302
- package/dist/layer2/byok-patterns.js.map +0 -1
- package/dist/layer2/dangerous-functions/child-process.d.ts +0 -16
- package/dist/layer2/dangerous-functions/child-process.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/child-process.js +0 -74
- package/dist/layer2/dangerous-functions/child-process.js.map +0 -1
- package/dist/layer2/dangerous-functions/dom-xss.d.ts +0 -34
- package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/dom-xss.js +0 -230
- package/dist/layer2/dangerous-functions/dom-xss.js.map +0 -1
- package/dist/layer2/dangerous-functions/index.d.ts +0 -16
- package/dist/layer2/dangerous-functions/index.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/index.js +0 -1152
- package/dist/layer2/dangerous-functions/index.js.map +0 -1
- package/dist/layer2/dangerous-functions/json-parse.d.ts +0 -31
- package/dist/layer2/dangerous-functions/json-parse.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/json-parse.js +0 -319
- package/dist/layer2/dangerous-functions/json-parse.js.map +0 -1
- package/dist/layer2/dangerous-functions/math-random.d.ts +0 -111
- package/dist/layer2/dangerous-functions/math-random.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/math-random.js +0 -684
- package/dist/layer2/dangerous-functions/math-random.js.map +0 -1
- package/dist/layer2/dangerous-functions/patterns.d.ts +0 -21
- package/dist/layer2/dangerous-functions/patterns.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/patterns.js +0 -163
- package/dist/layer2/dangerous-functions/patterns.js.map +0 -1
- package/dist/layer2/dangerous-functions/request-validation.d.ts +0 -13
- package/dist/layer2/dangerous-functions/request-validation.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/request-validation.js +0 -119
- package/dist/layer2/dangerous-functions/request-validation.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +0 -24
- package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/control-flow.js +0 -70
- package/dist/layer2/dangerous-functions/utils/control-flow.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts +0 -31
- package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/helpers.js +0 -147
- package/dist/layer2/dangerous-functions/utils/helpers.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/index.d.ts +0 -9
- package/dist/layer2/dangerous-functions/utils/index.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/index.js +0 -23
- package/dist/layer2/dangerous-functions/utils/index.js.map +0 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +0 -22
- package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +0 -1
- package/dist/layer2/dangerous-functions/utils/schema-validation.js +0 -102
- package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +0 -1
- package/dist/layer2/data-exposure.d.ts +0 -19
- package/dist/layer2/data-exposure.d.ts.map +0 -1
- package/dist/layer2/data-exposure.js +0 -255
- package/dist/layer2/data-exposure.js.map +0 -1
- package/dist/layer2/framework-checks.d.ts +0 -10
- package/dist/layer2/framework-checks.d.ts.map +0 -1
- package/dist/layer2/framework-checks.js +0 -384
- package/dist/layer2/framework-checks.js.map +0 -1
- package/dist/layer2/index.d.ts +0 -74
- package/dist/layer2/index.d.ts.map +0 -1
- package/dist/layer2/index.js +0 -544
- package/dist/layer2/index.js.map +0 -1
- package/dist/layer2/log-injection.d.ts +0 -18
- package/dist/layer2/log-injection.d.ts.map +0 -1
- package/dist/layer2/log-injection.js +0 -214
- package/dist/layer2/log-injection.js.map +0 -1
- package/dist/layer2/logic-gates.d.ts +0 -10
- package/dist/layer2/logic-gates.d.ts.map +0 -1
- package/dist/layer2/logic-gates.js +0 -220
- package/dist/layer2/logic-gates.js.map +0 -1
- package/dist/layer2/model-supply-chain.d.ts +0 -23
- package/dist/layer2/model-supply-chain.d.ts.map +0 -1
- package/dist/layer2/model-supply-chain.js +0 -444
- package/dist/layer2/model-supply-chain.js.map +0 -1
- package/dist/layer2/risky-imports.d.ts +0 -10
- package/dist/layer2/risky-imports.d.ts.map +0 -1
- package/dist/layer2/risky-imports.js +0 -165
- package/dist/layer2/risky-imports.js.map +0 -1
- package/dist/layer2/security-headers.d.ts +0 -18
- package/dist/layer2/security-headers.d.ts.map +0 -1
- package/dist/layer2/security-headers.js +0 -187
- package/dist/layer2/security-headers.js.map +0 -1
- package/dist/layer2/ssrf-detection.d.ts +0 -18
- package/dist/layer2/ssrf-detection.d.ts.map +0 -1
- package/dist/layer2/ssrf-detection.js +0 -252
- package/dist/layer2/ssrf-detection.js.map +0 -1
- package/dist/layer2/variables.d.ts +0 -11
- package/dist/layer2/variables.d.ts.map +0 -1
- package/dist/layer2/variables.js +0 -156
- package/dist/layer2/variables.js.map +0 -1
- package/dist/layer2/xxe-detection.d.ts +0 -18
- package/dist/layer2/xxe-detection.d.ts.map +0 -1
- package/dist/layer2/xxe-detection.js +0 -242
- package/dist/layer2/xxe-detection.js.map +0 -1
- package/dist/layer3/anthropic/auto-dismiss.d.ts +0 -24
- package/dist/layer3/anthropic/auto-dismiss.d.ts.map +0 -1
- package/dist/layer3/anthropic/auto-dismiss.js +0 -199
- package/dist/layer3/anthropic/auto-dismiss.js.map +0 -1
- package/dist/layer3/anthropic/clients.d.ts +0 -44
- package/dist/layer3/anthropic/clients.d.ts.map +0 -1
- package/dist/layer3/anthropic/clients.js +0 -81
- package/dist/layer3/anthropic/clients.js.map +0 -1
- package/dist/layer3/anthropic/index.d.ts +0 -41
- package/dist/layer3/anthropic/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/index.js +0 -141
- package/dist/layer3/anthropic/index.js.map +0 -1
- package/dist/layer3/anthropic/prompts/index.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/index.js +0 -16
- package/dist/layer3/anthropic/prompts/index.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts +0 -19
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js +0 -156
- package/dist/layer3/anthropic/prompts/modules/ai-patterns.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts +0 -9
- package/dist/layer3/anthropic/prompts/modules/auth-access.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/auth-access.js +0 -25
- package/dist/layer3/anthropic/prompts/modules/auth-access.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/common.d.ts +0 -11
- package/dist/layer3/anthropic/prompts/modules/common.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/common.js +0 -152
- package/dist/layer3/anthropic/prompts/modules/common.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/index.d.ts +0 -54
- package/dist/layer3/anthropic/prompts/modules/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/index.js +0 -185
- package/dist/layer3/anthropic/prompts/modules/index.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js +0 -84
- package/dist/layer3/anthropic/prompts/modules/owasp-classic.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js +0 -68
- package/dist/layer3/anthropic/prompts/modules/secrets-crypto.js.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts +0 -8
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js +0 -22
- package/dist/layer3/anthropic/prompts/modules/xss-prompt.js.map +0 -1
- package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +0 -15
- package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/semantic-analysis.js +0 -169
- package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +0 -1
- package/dist/layer3/anthropic/prompts/validation.d.ts +0 -18
- package/dist/layer3/anthropic/prompts/validation.d.ts.map +0 -1
- package/dist/layer3/anthropic/prompts/validation.js +0 -25
- package/dist/layer3/anthropic/prompts/validation.js.map +0 -1
- package/dist/layer3/anthropic/providers/anthropic.d.ts +0 -21
- package/dist/layer3/anthropic/providers/anthropic.d.ts.map +0 -1
- package/dist/layer3/anthropic/providers/anthropic.js +0 -269
- package/dist/layer3/anthropic/providers/anthropic.js.map +0 -1
- package/dist/layer3/anthropic/providers/index.d.ts +0 -8
- package/dist/layer3/anthropic/providers/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/providers/index.js +0 -15
- package/dist/layer3/anthropic/providers/index.js.map +0 -1
- package/dist/layer3/anthropic/providers/openai.d.ts +0 -18
- package/dist/layer3/anthropic/providers/openai.d.ts.map +0 -1
- package/dist/layer3/anthropic/providers/openai.js +0 -343
- package/dist/layer3/anthropic/providers/openai.js.map +0 -1
- package/dist/layer3/anthropic/request-builder.d.ts +0 -27
- package/dist/layer3/anthropic/request-builder.d.ts.map +0 -1
- package/dist/layer3/anthropic/request-builder.js +0 -150
- package/dist/layer3/anthropic/request-builder.js.map +0 -1
- package/dist/layer3/anthropic/types.d.ts +0 -88
- package/dist/layer3/anthropic/types.d.ts.map +0 -1
- package/dist/layer3/anthropic/types.js +0 -38
- package/dist/layer3/anthropic/types.js.map +0 -1
- package/dist/layer3/anthropic/utils/context-extractor.d.ts +0 -55
- package/dist/layer3/anthropic/utils/context-extractor.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/context-extractor.js +0 -161
- package/dist/layer3/anthropic/utils/context-extractor.js.map +0 -1
- package/dist/layer3/anthropic/utils/index.d.ts +0 -11
- package/dist/layer3/anthropic/utils/index.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/index.js +0 -27
- package/dist/layer3/anthropic/utils/index.js.map +0 -1
- package/dist/layer3/anthropic/utils/path-helpers.d.ts +0 -21
- package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/path-helpers.js +0 -69
- package/dist/layer3/anthropic/utils/path-helpers.js.map +0 -1
- package/dist/layer3/anthropic/utils/response-parser.d.ts +0 -40
- package/dist/layer3/anthropic/utils/response-parser.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/response-parser.js +0 -285
- package/dist/layer3/anthropic/utils/response-parser.js.map +0 -1
- package/dist/layer3/anthropic/utils/retry.d.ts +0 -15
- package/dist/layer3/anthropic/utils/retry.d.ts.map +0 -1
- package/dist/layer3/anthropic/utils/retry.js +0 -62
- package/dist/layer3/anthropic/utils/retry.js.map +0 -1
- package/dist/layer3/index.d.ts +0 -27
- package/dist/layer3/index.d.ts.map +0 -1
- package/dist/layer3/index.js +0 -150
- package/dist/layer3/index.js.map +0 -1
- package/dist/layer3/osv-check.d.ts +0 -75
- package/dist/layer3/osv-check.d.ts.map +0 -1
- package/dist/layer3/osv-check.js +0 -308
- package/dist/layer3/osv-check.js.map +0 -1
- package/dist/layer3/package-check.d.ts +0 -63
- package/dist/layer3/package-check.d.ts.map +0 -1
- package/dist/layer3/package-check.js +0 -508
- package/dist/layer3/package-check.js.map +0 -1
- package/dist/model/cross-file-taint.d.ts +0 -40
- package/dist/model/cross-file-taint.d.ts.map +0 -1
- package/dist/model/cross-file-taint.js +0 -290
- package/dist/model/cross-file-taint.js.map +0 -1
- package/dist/model/function-classifier.d.ts +0 -32
- package/dist/model/function-classifier.d.ts.map +0 -1
- package/dist/model/function-classifier.js +0 -143
- package/dist/model/function-classifier.js.map +0 -1
- package/dist/model/sanitiser-detection.d.ts +0 -27
- package/dist/model/sanitiser-detection.d.ts.map +0 -1
- package/dist/model/sanitiser-detection.js +0 -224
- package/dist/model/sanitiser-detection.js.map +0 -1
- package/dist/model/sink-matcher.d.ts +0 -17
- package/dist/model/sink-matcher.d.ts.map +0 -1
- package/dist/model/sink-matcher.js +0 -141
- package/dist/model/sink-matcher.js.map +0 -1
- package/dist/model/sink-patterns.d.ts +0 -19
- package/dist/model/sink-patterns.d.ts.map +0 -1
- package/dist/model/sink-patterns.js +0 -88
- package/dist/model/sink-patterns.js.map +0 -1
- package/dist/model/source-discovery.d.ts +0 -15
- package/dist/model/source-discovery.d.ts.map +0 -1
- package/dist/model/source-discovery.js +0 -170
- package/dist/model/source-discovery.js.map +0 -1
- package/dist/model/taint-tracker.d.ts +0 -21
- package/dist/model/taint-tracker.d.ts.map +0 -1
- package/dist/model/taint-tracker.js +0 -281
- package/dist/model/taint-tracker.js.map +0 -1
- package/dist/modes/incremental.d.ts +0 -66
- package/dist/modes/incremental.d.ts.map +0 -1
- package/dist/modes/incremental.js +0 -200
- package/dist/modes/incremental.js.map +0 -1
- package/dist/rules/framework-fixes.d.ts +0 -48
- package/dist/rules/framework-fixes.d.ts.map +0 -1
- package/dist/rules/framework-fixes.js +0 -439
- package/dist/rules/framework-fixes.js.map +0 -1
- package/dist/rules/index.d.ts +0 -8
- package/dist/rules/index.d.ts.map +0 -1
- package/dist/rules/index.js +0 -18
- package/dist/rules/index.js.map +0 -1
- package/dist/rules/metadata.d.ts +0 -43
- package/dist/rules/metadata.d.ts.map +0 -1
- package/dist/rules/metadata.js +0 -800
- package/dist/rules/metadata.js.map +0 -1
- package/dist/score/auto-dismiss.d.ts +0 -28
- package/dist/score/auto-dismiss.d.ts.map +0 -1
- package/dist/score/auto-dismiss.js +0 -200
- package/dist/score/auto-dismiss.js.map +0 -1
- package/dist/suppression/config-loader.d.ts +0 -74
- package/dist/suppression/config-loader.d.ts.map +0 -1
- package/dist/suppression/config-loader.js +0 -424
- package/dist/suppression/config-loader.js.map +0 -1
- package/dist/suppression/hash.d.ts +0 -48
- package/dist/suppression/hash.d.ts.map +0 -1
- package/dist/suppression/hash.js +0 -88
- package/dist/suppression/hash.js.map +0 -1
- package/dist/suppression/index.d.ts +0 -11
- package/dist/suppression/index.d.ts.map +0 -1
- package/dist/suppression/index.js +0 -39
- package/dist/suppression/index.js.map +0 -1
- package/dist/suppression/inline-parser.d.ts +0 -39
- package/dist/suppression/inline-parser.d.ts.map +0 -1
- package/dist/suppression/inline-parser.js +0 -218
- package/dist/suppression/inline-parser.js.map +0 -1
- package/dist/suppression/manager.d.ts +0 -94
- package/dist/suppression/manager.d.ts.map +0 -1
- package/dist/suppression/manager.js +0 -292
- package/dist/suppression/manager.js.map +0 -1
- package/dist/suppression/types.d.ts +0 -151
- package/dist/suppression/types.d.ts.map +0 -1
- package/dist/suppression/types.js +0 -28
- package/dist/suppression/types.js.map +0 -1
- package/dist/types.d.ts +0 -331
- package/dist/types.d.ts.map +0 -1
- package/dist/types.js +0 -124
- package/dist/types.js.map +0 -1
- package/dist/utils/auth-helper-detector.d.ts +0 -56
- package/dist/utils/auth-helper-detector.d.ts.map +0 -1
- package/dist/utils/auth-helper-detector.js +0 -360
- package/dist/utils/auth-helper-detector.js.map +0 -1
- package/dist/utils/code-analysis.d.ts +0 -39
- package/dist/utils/code-analysis.d.ts.map +0 -1
- package/dist/utils/code-analysis.js +0 -159
- package/dist/utils/code-analysis.js.map +0 -1
- package/dist/utils/comment-analyzer.d.ts +0 -38
- package/dist/utils/comment-analyzer.d.ts.map +0 -1
- package/dist/utils/comment-analyzer.js +0 -218
- package/dist/utils/comment-analyzer.js.map +0 -1
- package/dist/utils/context-helpers.d.ts +0 -219
- package/dist/utils/context-helpers.d.ts.map +0 -1
- package/dist/utils/context-helpers.js +0 -886
- package/dist/utils/context-helpers.js.map +0 -1
- package/dist/utils/diff-detector.d.ts +0 -53
- package/dist/utils/diff-detector.d.ts.map +0 -1
- package/dist/utils/diff-detector.js +0 -104
- package/dist/utils/diff-detector.js.map +0 -1
- package/dist/utils/diff-parser.d.ts +0 -80
- package/dist/utils/diff-parser.d.ts.map +0 -1
- package/dist/utils/diff-parser.js +0 -202
- package/dist/utils/diff-parser.js.map +0 -1
- package/dist/utils/environment-context.d.ts +0 -76
- package/dist/utils/environment-context.d.ts.map +0 -1
- package/dist/utils/environment-context.js +0 -271
- package/dist/utils/environment-context.js.map +0 -1
- package/dist/utils/imported-auth-detector.d.ts +0 -37
- package/dist/utils/imported-auth-detector.d.ts.map +0 -1
- package/dist/utils/imported-auth-detector.js +0 -251
- package/dist/utils/imported-auth-detector.js.map +0 -1
- package/dist/utils/intent-detector.d.ts +0 -66
- package/dist/utils/intent-detector.d.ts.map +0 -1
- package/dist/utils/intent-detector.js +0 -282
- package/dist/utils/intent-detector.js.map +0 -1
- package/dist/utils/middleware-detector.d.ts +0 -55
- package/dist/utils/middleware-detector.d.ts.map +0 -1
- package/dist/utils/middleware-detector.js +0 -260
- package/dist/utils/middleware-detector.js.map +0 -1
- package/dist/utils/oauth-flow-detector.d.ts +0 -41
- package/dist/utils/oauth-flow-detector.d.ts.map +0 -1
- package/dist/utils/oauth-flow-detector.js +0 -202
- package/dist/utils/oauth-flow-detector.js.map +0 -1
- package/dist/utils/parsed-file.d.ts +0 -51
- package/dist/utils/parsed-file.d.ts.map +0 -1
- package/dist/utils/parsed-file.js +0 -95
- package/dist/utils/parsed-file.js.map +0 -1
- package/dist/utils/path-exclusions.d.ts +0 -55
- package/dist/utils/path-exclusions.d.ts.map +0 -1
- package/dist/utils/path-exclusions.js +0 -224
- package/dist/utils/path-exclusions.js.map +0 -1
- package/dist/utils/project-context-builder.d.ts +0 -119
- package/dist/utils/project-context-builder.d.ts.map +0 -1
- package/dist/utils/project-context-builder.js +0 -534
- package/dist/utils/project-context-builder.js.map +0 -1
- package/dist/utils/registry-clients.d.ts +0 -93
- package/dist/utils/registry-clients.d.ts.map +0 -1
- package/dist/utils/registry-clients.js +0 -273
- package/dist/utils/registry-clients.js.map +0 -1
- package/dist/utils/route-hierarchy.d.ts +0 -50
- package/dist/utils/route-hierarchy.d.ts.map +0 -1
- package/dist/utils/route-hierarchy.js +0 -226
- package/dist/utils/route-hierarchy.js.map +0 -1
- package/dist/utils/schema-semantics.d.ts +0 -45
- package/dist/utils/schema-semantics.d.ts.map +0 -1
- package/dist/utils/schema-semantics.js +0 -193
- package/dist/utils/schema-semantics.js.map +0 -1
- package/dist/utils/trpc-analyzer.d.ts +0 -78
- package/dist/utils/trpc-analyzer.d.ts.map +0 -1
- package/dist/utils/trpc-analyzer.js +0 -297
- package/dist/utils/trpc-analyzer.js.map +0 -1
- package/src/__tests__/context-engine/cross-file-taint.test.ts +0 -284
- package/src/__tests__/context-engine/function-classifier.test.ts +0 -146
- package/src/__tests__/context-engine/integration.test.ts +0 -320
- package/src/__tests__/context-engine/sanitiser-detection.test.ts +0 -187
- package/src/__tests__/context-engine/sink-matcher.test.ts +0 -251
- package/src/__tests__/context-engine/source-discovery.test.ts +0 -186
- package/src/__tests__/context-engine/taint-tracker.test.ts +0 -182
- package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +0 -750
- package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +0 -555
- package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +0 -321
- package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +0 -439
- package/src/detect/ai-code/agent-tools.ts +0 -1662
- package/src/detect/ai-code/byok-patterns.ts +0 -354
- package/src/detect/ai-code/endpoint-protection.ts +0 -406
- package/src/detect/ai-code/execution-sinks.ts +0 -1310
- package/src/detect/ai-code/fingerprinting.ts +0 -774
- package/src/detect/ai-code/mcp-security.ts +0 -937
- package/src/detect/ai-code/model-supply-chain.ts +0 -535
- package/src/detect/ai-code/package-hallucination.ts +0 -955
- package/src/detect/ai-code/prompt-hygiene.ts +0 -1314
- package/src/detect/ai-code/rag-safety.ts +0 -977
- package/src/detect/ai-code/schema-validation.ts +0 -427
- package/src/detect/secrets/patterns.ts +0 -561
- package/src/detect/secrets/weak-crypto.ts +0 -485
- package/src/detect/structural/__tests__/math-random-enhanced.test.ts +0 -405
- package/src/detect/structural/auth-patterns.ts +0 -621
- package/src/detect/structural/dangerous-functions/child-process.ts +0 -98
- package/src/detect/structural/dangerous-functions/dom-xss.ts +0 -292
- package/src/detect/structural/dangerous-functions/index.ts +0 -1556
- package/src/detect/structural/dangerous-functions/json-parse.ts +0 -393
- package/src/detect/structural/dangerous-functions/math-random.ts +0 -789
- package/src/detect/structural/dangerous-functions/patterns.ts +0 -176
- package/src/detect/structural/dangerous-functions/request-validation.ts +0 -153
- package/src/detect/structural/dangerous-functions/utils/control-flow.ts +0 -35
- package/src/detect/structural/dangerous-functions/utils/helpers.ts +0 -170
- package/src/detect/structural/dangerous-functions/utils/index.ts +0 -25
- package/src/detect/structural/dangerous-functions/utils/schema-validation.ts +0 -106
- package/src/detect/structural/data-exposure.ts +0 -302
- package/src/detect/structural/framework-checks.ts +0 -439
- package/src/detect/structural/log-injection.ts +0 -254
- package/src/detect/structural/logic-gates.ts +0 -256
- package/src/detect/structural/risky-imports.ts +0 -197
- package/src/detect/structural/security-headers.ts +0 -231
- package/src/detect/structural/ssrf-detection.ts +0 -300
- package/src/detect/structural/variables.ts +0 -177
- package/src/detect/structural/xxe-detection.ts +0 -295
- package/src/model/cross-file-taint.ts +0 -374
- package/src/model/function-classifier.ts +0 -184
- package/src/model/sanitiser-detection.ts +0 -268
- package/src/model/sink-matcher.ts +0 -178
- package/src/model/sink-patterns.ts +0 -109
- package/src/model/source-discovery.ts +0 -209
- package/src/model/taint-tracker.ts +0 -333
- package/src/score/auto-dismiss.ts +0 -224
package/dist/layer2/variables.js
DELETED
|
@@ -1,156 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
/**
|
|
3
|
-
* Layer 2: Variable Heuristics
|
|
4
|
-
* Identifies variable names associated with sensitive data
|
|
5
|
-
*/
|
|
6
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
7
|
-
exports.SENSITIVE_VARIABLE_PATTERNS = void 0;
|
|
8
|
-
exports.detectSensitiveVariables = detectSensitiveVariables;
|
|
9
|
-
const context_helpers_1 = require("../utils/context-helpers");
|
|
10
|
-
// Patterns for sensitive variable names
|
|
11
|
-
exports.SENSITIVE_VARIABLE_PATTERNS = [
|
|
12
|
-
// Password-related
|
|
13
|
-
{
|
|
14
|
-
pattern: /\b(password|passwd|pwd|pass)\s*[=:]/gi,
|
|
15
|
-
severity: 'high',
|
|
16
|
-
description: 'Variable name suggests password storage',
|
|
17
|
-
},
|
|
18
|
-
{
|
|
19
|
-
pattern: /\b(user_?password|admin_?password|db_?password|database_?password)\s*[=:]/gi,
|
|
20
|
-
severity: 'critical',
|
|
21
|
-
description: 'Variable name suggests database/admin password',
|
|
22
|
-
},
|
|
23
|
-
// Token-related
|
|
24
|
-
{
|
|
25
|
-
pattern: /\b(auth_?token|access_?token|refresh_?token|bearer_?token)\s*[=:]/gi,
|
|
26
|
-
severity: 'high',
|
|
27
|
-
description: 'Variable name suggests authentication token',
|
|
28
|
-
},
|
|
29
|
-
{
|
|
30
|
-
pattern: /\b(api_?token|api_?key|apikey)\s*[=:]/gi,
|
|
31
|
-
severity: 'high',
|
|
32
|
-
description: 'Variable name suggests API key/token',
|
|
33
|
-
},
|
|
34
|
-
// Secret-related
|
|
35
|
-
{
|
|
36
|
-
pattern: /\b(secret|secret_?key|private_?key|signing_?key)\s*[=:]/gi,
|
|
37
|
-
severity: 'high',
|
|
38
|
-
description: 'Variable name suggests secret/private key',
|
|
39
|
-
},
|
|
40
|
-
{
|
|
41
|
-
pattern: /\b(client_?secret|app_?secret|jwt_?secret)\s*[=:]/gi,
|
|
42
|
-
severity: 'critical',
|
|
43
|
-
description: 'Variable name suggests application secret',
|
|
44
|
-
},
|
|
45
|
-
// Credential-related
|
|
46
|
-
{
|
|
47
|
-
pattern: /\b(credential|credentials|creds)\s*[=:]/gi,
|
|
48
|
-
severity: 'high',
|
|
49
|
-
description: 'Variable name suggests credentials',
|
|
50
|
-
},
|
|
51
|
-
// Connection strings
|
|
52
|
-
{
|
|
53
|
-
pattern: /\b(connection_?string|conn_?string|database_?url|db_?url)\s*[=:]/gi,
|
|
54
|
-
severity: 'high',
|
|
55
|
-
description: 'Variable name suggests database connection string',
|
|
56
|
-
},
|
|
57
|
-
// Encryption keys
|
|
58
|
-
{
|
|
59
|
-
pattern: /\b(encryption_?key|decrypt_?key|cipher_?key|aes_?key)\s*[=:]/gi,
|
|
60
|
-
severity: 'critical',
|
|
61
|
-
description: 'Variable name suggests encryption key',
|
|
62
|
-
},
|
|
63
|
-
// SSH/Certificate
|
|
64
|
-
{
|
|
65
|
-
pattern: /\b(ssh_?key|private_?key|cert_?key|ssl_?key)\s*[=:]/gi,
|
|
66
|
-
severity: 'critical',
|
|
67
|
-
description: 'Variable name suggests SSH/SSL key',
|
|
68
|
-
},
|
|
69
|
-
];
|
|
70
|
-
// Check if the value looks like a placeholder or env var reference
|
|
71
|
-
function isPlaceholderOrEnvRef(line) {
|
|
72
|
-
const safePatterns = [
|
|
73
|
-
/[=:]\s*['"]?\s*$/, // Empty value
|
|
74
|
-
/[=:]\s*['"]?xxx/i, // xxx placeholder
|
|
75
|
-
/[=:]\s*['"]?your[-_]/i, // your-xxx placeholder
|
|
76
|
-
/[=:]\s*['"]?<[^>]+>/, // <placeholder>
|
|
77
|
-
/[=:]\s*['"]?\$\{/, // ${VAR} template
|
|
78
|
-
/[=:]\s*['"]?process\.env/, // process.env reference
|
|
79
|
-
/[=:]\s*['"]?env\(/, // env() function
|
|
80
|
-
/[=:]\s*['"]?getenv/i, // getenv function
|
|
81
|
-
/[=:]\s*['"]?os\.environ/, // Python os.environ
|
|
82
|
-
/[=:]\s*['"]?ENV\[/, // Ruby ENV
|
|
83
|
-
/[=:]\s*null\b/i, // null value
|
|
84
|
-
/[=:]\s*undefined\b/, // undefined value
|
|
85
|
-
/[=:]\s*None\b/, // Python None
|
|
86
|
-
/[=:]\s*['"]?TODO/i, // TODO placeholder
|
|
87
|
-
/[=:]\s*['"]?CHANGEME/i, // CHANGEME placeholder
|
|
88
|
-
/[=:]\s*['"]?REPLACE/i, // REPLACE placeholder
|
|
89
|
-
/\?\s*.*\s*:\s*/, // Ternary operator (conditional assignment)
|
|
90
|
-
/\|\|/, // OR fallback (e.g., ENV_VAR || '')
|
|
91
|
-
/\?\?/, // Nullish coalescing
|
|
92
|
-
/[A-Z_]{3,}_(?:KEY|TOKEN|SECRET)/, // References to env var constants
|
|
93
|
-
];
|
|
94
|
-
return safePatterns.some(pattern => pattern.test(line));
|
|
95
|
-
}
|
|
96
|
-
// Check if line is a comment
|
|
97
|
-
function isComment(line) {
|
|
98
|
-
const trimmed = line.trim();
|
|
99
|
-
return (trimmed.startsWith('//') ||
|
|
100
|
-
trimmed.startsWith('#') ||
|
|
101
|
-
trimmed.startsWith('*') ||
|
|
102
|
-
trimmed.startsWith('/*') ||
|
|
103
|
-
trimmed.startsWith('"""') ||
|
|
104
|
-
trimmed.startsWith("'''") ||
|
|
105
|
-
trimmed.startsWith('<!--'));
|
|
106
|
-
}
|
|
107
|
-
// Check if it's a type definition or interface
|
|
108
|
-
function isTypeDefinition(line) {
|
|
109
|
-
return (/^\s*(type|interface|class)\s/.test(line) ||
|
|
110
|
-
/:\s*(string|number|boolean|any)\s*[;,}]/.test(line) ||
|
|
111
|
-
/\?\s*:\s*\w+/.test(line));
|
|
112
|
-
}
|
|
113
|
-
function detectSensitiveVariables(content, filePath, options) {
|
|
114
|
-
const vulnerabilities = [];
|
|
115
|
-
// Skip scanner/fixture files to avoid self-detection
|
|
116
|
-
if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
|
|
117
|
-
return vulnerabilities;
|
|
118
|
-
const lines = options?.parsed?.lines ?? content.split('\n');
|
|
119
|
-
lines.forEach((line, index) => {
|
|
120
|
-
// Skip comments
|
|
121
|
-
if (isComment(line))
|
|
122
|
-
return;
|
|
123
|
-
// Skip type definitions
|
|
124
|
-
if (isTypeDefinition(line))
|
|
125
|
-
return;
|
|
126
|
-
// Skip if it's a placeholder/env reference
|
|
127
|
-
if (isPlaceholderOrEnvRef(line))
|
|
128
|
-
return;
|
|
129
|
-
for (const pattern of exports.SENSITIVE_VARIABLE_PATTERNS) {
|
|
130
|
-
const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
|
|
131
|
-
if (regex.test(line)) {
|
|
132
|
-
// Extract the actual value to check if it's hardcoded
|
|
133
|
-
const valueMatch = line.match(/[=:]\s*['"]([^'"]+)['"]/i);
|
|
134
|
-
if (valueMatch && valueMatch[1].length > 3) {
|
|
135
|
-
// Has a non-trivial hardcoded value
|
|
136
|
-
vulnerabilities.push({
|
|
137
|
-
id: `var-${filePath}-${index + 1}`,
|
|
138
|
-
filePath,
|
|
139
|
-
lineNumber: index + 1,
|
|
140
|
-
lineContent: line.trim(),
|
|
141
|
-
severity: pattern.severity,
|
|
142
|
-
category: 'sensitive_variable',
|
|
143
|
-
title: 'Sensitive variable with hardcoded value',
|
|
144
|
-
description: pattern.description + '. The value appears to be hardcoded rather than loaded from environment.',
|
|
145
|
-
suggestedFix: 'Move this sensitive value to an environment variable or secure secrets manager.',
|
|
146
|
-
confidence: 'medium',
|
|
147
|
-
layer: 2,
|
|
148
|
-
});
|
|
149
|
-
}
|
|
150
|
-
break; // Only report once per line
|
|
151
|
-
}
|
|
152
|
-
}
|
|
153
|
-
});
|
|
154
|
-
return vulnerabilities;
|
|
155
|
-
}
|
|
156
|
-
//# sourceMappingURL=variables.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"variables.js","sourceRoot":"","sources":["../../src/layer2/variables.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAsHH,4DAmDC;AArKD,8DAAiE;AAEjE,wCAAwC;AAC3B,QAAA,2BAA2B,GAA+B;IACrE,mBAAmB;IACnB;QACE,OAAO,EAAE,uCAAuC;QAChD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yCAAyC;KACvD;IACD;QACE,OAAO,EAAE,6EAA6E;QACtF,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gDAAgD;KAC9D;IACD,gBAAgB;IAChB;QACE,OAAO,EAAE,qEAAqE;QAC9E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6CAA6C;KAC3D;IACD;QACE,OAAO,EAAE,yCAAyC;QAClD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sCAAsC;KACpD;IACD,iBAAiB;IACjB;QACE,OAAO,EAAE,2DAA2D;QACpE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,OAAO,EAAE,qDAAqD;QAC9D,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2CAA2C;KACzD;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,oCAAoC;KAClD;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,oEAAoE;QAC7E,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,mDAAmD;KACjE;IACD,kBAAkB;IAClB;QACE,OAAO,EAAE,gEAAgE;QACzE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uCAAuC;KACrD;IACD,kBAAkB;IAClB;QACE,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,oCAAoC;KAClD;CACF,CAAA;AAED,mEAAmE;AACnE,SAAS,qBAAqB,CAAC,IAAY;IACzC,MAAM,YAAY,GAAG;QACnB,kBAAkB,EAAqB,cAAc;QACrD,kBAAkB,EAAqB,kBAAkB;QACzD,uBAAuB,EAAgB,uBAAuB;QAC9D,qBAAqB,EAAkB,gBAAgB;QACvD,kBAAkB,EAAqB,kBAAkB;QACzD,0BAA0B,EAAa,wBAAwB;QAC/D,mBAAmB,EAAoB,iBAAiB;QACxD,qBAAqB,EAAkB,kBAAkB;QACzD,yBAAyB,EAAc,oBAAoB;QAC3D,mBAAmB,EAAoB,WAAW;QAClD,gBAAgB,EAAuB,aAAa;QACpD,oBAAoB,EAAmB,kBAAkB;QACzD,eAAe,EAAwB,cAAc;QACrD,mBAAmB,EAAoB,mBAAmB;QAC1D,uBAAuB,EAAgB,uBAAuB;QAC9D,sBAAsB,EAAiB,sBAAsB;QAC7D,gBAAgB,EAAuB,4CAA4C;QACnF,MAAM,EAAiC,oCAAoC;QAC3E,MAAM,EAAiC,qBAAqB;QAC5D,iCAAiC,EAAM,kCAAkC;KAC1E,CAAA;IAED,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAA;AACzD,CAAC;AAED,6BAA6B;AAC7B,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAA;IAC3B,OAAO,CACL,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;QACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC;QACzB,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC;QACzB,OAAO,CAAC,UAAU,CAAC,MAAM,CAAC,CAC3B,CAAA;AACH,CAAC;AAED,+CAA+C;AAC/C,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,CACL,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC;QACzC,yCAAyC,CAAC,IAAI,CAAC,IAAI,CAAC;QACpD,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAC1B,CAAA;AACH,CAAC;AAED,SAAgB,wBAAwB,CACtC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,qDAAqD;IACrD,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,gBAAgB;QAChB,IAAI,SAAS,CAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,wBAAwB;QACxB,IAAI,gBAAgB,CAAC,IAAI,CAAC;YAAE,OAAM;QAElC,2CAA2C;QAC3C,IAAI,qBAAqB,CAAC,IAAI,CAAC;YAAE,OAAM;QAEvC,KAAK,MAAM,OAAO,IAAI,mCAA2B,EAAE,CAAC;YAClD,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;YAEvE,IAAI,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrB,sDAAsD;gBACtD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAA;gBAEzD,IAAI,UAAU,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC3C,oCAAoC;oBACpC,eAAe,CAAC,IAAI,CAAC;wBACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,KAAK,GAAG,CAAC,EAAE;wBAClC,QAAQ;wBACR,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,QAAQ,EAAE,oBAAoB;wBAC9B,KAAK,EAAE,yCAAyC;wBAChD,WAAW,EAAE,OAAO,CAAC,WAAW,GAAG,0EAA0E;wBAC7G,YAAY,EAAE,iFAAiF;wBAC/F,UAAU,EAAE,QAAQ;wBACpB,KAAK,EAAE,CAAC;qBACT,CAAC,CAAA;gBACJ,CAAC;gBACD,MAAK,CAAC,4BAA4B;YACpC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,eAAe,CAAA;AACxB,CAAC"}
|
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Layer 2: XXE (XML External Entity) Detector
|
|
3
|
-
* Detects XML parsing without entity expansion protection
|
|
4
|
-
*
|
|
5
|
-
* OWASP A02:2021 - Cryptographic Failures (was A04 in 2017)
|
|
6
|
-
* CWE-611: Improper Restriction of XML External Entity Reference
|
|
7
|
-
*/
|
|
8
|
-
import type { Vulnerability } from '../types';
|
|
9
|
-
import type { ParsedFile } from '../utils/parsed-file';
|
|
10
|
-
interface XXEOptions {
|
|
11
|
-
parsed?: ParsedFile;
|
|
12
|
-
}
|
|
13
|
-
/**
|
|
14
|
-
* Detect XXE patterns in code
|
|
15
|
-
*/
|
|
16
|
-
export declare function detectXXEPatterns(content: string, filePath: string, options?: XXEOptions): Vulnerability[];
|
|
17
|
-
export {};
|
|
18
|
-
//# sourceMappingURL=xxe-detection.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"xxe-detection.d.ts","sourceRoot":"","sources":["../../src/layer2/xxe-detection.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,UAAU,CAAA;AACpE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAA;AAOtD,UAAU,UAAU;IAClB,MAAM,CAAC,EAAE,UAAU,CAAA;CACpB;AA8LD;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,UAAU,GACnB,aAAa,EAAE,CAsDjB"}
|
|
@@ -1,242 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
/**
|
|
3
|
-
* Layer 2: XXE (XML External Entity) Detector
|
|
4
|
-
* Detects XML parsing without entity expansion protection
|
|
5
|
-
*
|
|
6
|
-
* OWASP A02:2021 - Cryptographic Failures (was A04 in 2017)
|
|
7
|
-
* CWE-611: Improper Restriction of XML External Entity Reference
|
|
8
|
-
*/
|
|
9
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
-
exports.detectXXEPatterns = detectXXEPatterns;
|
|
11
|
-
const context_helpers_1 = require("../utils/context-helpers");
|
|
12
|
-
const XXE_PATTERNS = [
|
|
13
|
-
// ==================== Node.js ====================
|
|
14
|
-
{
|
|
15
|
-
pattern: /xml2js\.parseString|new\s+xml2js\.Parser/,
|
|
16
|
-
lang: 'node',
|
|
17
|
-
lib: 'xml2js',
|
|
18
|
-
safe: /explicitCharkey|xmlMode/,
|
|
19
|
-
severity: 'medium', // xml2js v0.5+ doesn't expand entities by default
|
|
20
|
-
extensions: ['.js', '.ts', '.mjs', '.cjs', '.jsx', '.tsx'],
|
|
21
|
-
},
|
|
22
|
-
{
|
|
23
|
-
pattern: /libxmljs\.parseXml/,
|
|
24
|
-
lang: 'node',
|
|
25
|
-
lib: 'libxmljs',
|
|
26
|
-
safe: /noent\s*:\s*false/,
|
|
27
|
-
severity: 'high',
|
|
28
|
-
extensions: ['.js', '.ts', '.mjs', '.cjs'],
|
|
29
|
-
},
|
|
30
|
-
{
|
|
31
|
-
pattern: /new\s+DOMParser\(\)\.parseFromString/,
|
|
32
|
-
lang: 'node',
|
|
33
|
-
lib: 'DOMParser',
|
|
34
|
-
severity: 'low', // Browsers block XXE by default
|
|
35
|
-
extensions: ['.js', '.ts', '.jsx', '.tsx'],
|
|
36
|
-
},
|
|
37
|
-
{
|
|
38
|
-
pattern: /(?:xmldom|@xmldom\/xmldom)/,
|
|
39
|
-
lang: 'node',
|
|
40
|
-
lib: 'xmldom',
|
|
41
|
-
safe: /entityExpansionEnabled\s*:\s*false/,
|
|
42
|
-
severity: 'medium',
|
|
43
|
-
extensions: ['.js', '.ts', '.mjs', '.cjs'],
|
|
44
|
-
},
|
|
45
|
-
{
|
|
46
|
-
pattern: /(?:fast-xml-parser|XMLParser)/,
|
|
47
|
-
lang: 'node',
|
|
48
|
-
lib: 'fast-xml-parser',
|
|
49
|
-
safe: /processEntities\s*:\s*false/,
|
|
50
|
-
severity: 'medium',
|
|
51
|
-
extensions: ['.js', '.ts', '.mjs', '.cjs'],
|
|
52
|
-
},
|
|
53
|
-
// ==================== Python ====================
|
|
54
|
-
{
|
|
55
|
-
pattern: /xml\.etree\.ElementTree\.parse|ET\.parse|etree\.parse/,
|
|
56
|
-
lang: 'python',
|
|
57
|
-
lib: 'xml.etree.ElementTree',
|
|
58
|
-
safe: /defusedxml/,
|
|
59
|
-
severity: 'high',
|
|
60
|
-
extensions: ['.py'],
|
|
61
|
-
},
|
|
62
|
-
{
|
|
63
|
-
pattern: /lxml\.etree\.parse|etree\.fromstring/,
|
|
64
|
-
lang: 'python',
|
|
65
|
-
lib: 'lxml.etree',
|
|
66
|
-
safe: /resolve_entities\s*=\s*False|defusedxml/,
|
|
67
|
-
severity: 'high',
|
|
68
|
-
extensions: ['.py'],
|
|
69
|
-
},
|
|
70
|
-
{
|
|
71
|
-
pattern: /xml\.sax\.parse|xml\.dom\.minidom\.parse/,
|
|
72
|
-
lang: 'python',
|
|
73
|
-
lib: 'xml.sax/minidom',
|
|
74
|
-
safe: /defusedxml/,
|
|
75
|
-
severity: 'high',
|
|
76
|
-
extensions: ['.py'],
|
|
77
|
-
},
|
|
78
|
-
{
|
|
79
|
-
pattern: /xml\.dom\.pulldom/,
|
|
80
|
-
lang: 'python',
|
|
81
|
-
lib: 'xml.dom.pulldom',
|
|
82
|
-
safe: /defusedxml/,
|
|
83
|
-
severity: 'high',
|
|
84
|
-
extensions: ['.py'],
|
|
85
|
-
},
|
|
86
|
-
// ==================== Java ====================
|
|
87
|
-
{
|
|
88
|
-
pattern: /DocumentBuilderFactory\.newInstance/,
|
|
89
|
-
lang: 'java',
|
|
90
|
-
lib: 'DocumentBuilderFactory',
|
|
91
|
-
safe: /disallow-doctype-decl|FEATURE_SECURE_PROCESSING/,
|
|
92
|
-
severity: 'high',
|
|
93
|
-
extensions: ['.java'],
|
|
94
|
-
},
|
|
95
|
-
{
|
|
96
|
-
pattern: /SAXParserFactory\.newInstance/,
|
|
97
|
-
lang: 'java',
|
|
98
|
-
lib: 'SAXParserFactory',
|
|
99
|
-
safe: /disallow-doctype-decl|external-general-entities/,
|
|
100
|
-
severity: 'high',
|
|
101
|
-
extensions: ['.java'],
|
|
102
|
-
},
|
|
103
|
-
{
|
|
104
|
-
pattern: /XMLInputFactory\.newInstance/,
|
|
105
|
-
lang: 'java',
|
|
106
|
-
lib: 'XMLInputFactory',
|
|
107
|
-
safe: /IS_SUPPORTING_EXTERNAL_ENTITIES|SUPPORT_DTD/,
|
|
108
|
-
severity: 'high',
|
|
109
|
-
extensions: ['.java'],
|
|
110
|
-
},
|
|
111
|
-
{
|
|
112
|
-
pattern: /TransformerFactory\.newInstance/,
|
|
113
|
-
lang: 'java',
|
|
114
|
-
lib: 'TransformerFactory',
|
|
115
|
-
safe: /ACCESS_EXTERNAL_DTD|ACCESS_EXTERNAL_STYLESHEET/,
|
|
116
|
-
severity: 'high',
|
|
117
|
-
extensions: ['.java'],
|
|
118
|
-
},
|
|
119
|
-
// ==================== PHP ====================
|
|
120
|
-
{
|
|
121
|
-
pattern: /simplexml_load_string|simplexml_load_file/,
|
|
122
|
-
lang: 'php',
|
|
123
|
-
lib: 'simplexml',
|
|
124
|
-
safe: /libxml_disable_entity_loader\s*\(\s*true\s*\)|LIBXML_NOENT/,
|
|
125
|
-
severity: 'high',
|
|
126
|
-
extensions: ['.php'],
|
|
127
|
-
},
|
|
128
|
-
{
|
|
129
|
-
pattern: /DOMDocument.*(?:loadXML|load)\b/,
|
|
130
|
-
lang: 'php',
|
|
131
|
-
lib: 'DOMDocument',
|
|
132
|
-
safe: /libxml_disable_entity_loader\s*\(\s*true\s*\)/,
|
|
133
|
-
severity: 'high',
|
|
134
|
-
extensions: ['.php'],
|
|
135
|
-
},
|
|
136
|
-
{
|
|
137
|
-
pattern: /XMLReader.*open/,
|
|
138
|
-
lang: 'php',
|
|
139
|
-
lib: 'XMLReader',
|
|
140
|
-
safe: /setParserProperty.*LOADDTD.*false/,
|
|
141
|
-
severity: 'high',
|
|
142
|
-
extensions: ['.php'],
|
|
143
|
-
},
|
|
144
|
-
];
|
|
145
|
-
/**
|
|
146
|
-
* Check if the file extension matches the expected language
|
|
147
|
-
*/
|
|
148
|
-
function matchesLanguageExtension(filePath, extensions) {
|
|
149
|
-
if (!extensions)
|
|
150
|
-
return true;
|
|
151
|
-
return extensions.some(ext => filePath.endsWith(ext));
|
|
152
|
-
}
|
|
153
|
-
/**
|
|
154
|
-
* Check surrounding context for safe configuration
|
|
155
|
-
*/
|
|
156
|
-
function hasSafeConfig(content, lines, lineIndex, safePattern, lang) {
|
|
157
|
-
if (!safePattern)
|
|
158
|
-
return false;
|
|
159
|
-
// For Python: check entire file for defusedxml import
|
|
160
|
-
if (lang === 'python' && /defusedxml/.test(safePattern.source)) {
|
|
161
|
-
if (/import\s+defusedxml|from\s+defusedxml/.test(content)) {
|
|
162
|
-
return true;
|
|
163
|
-
}
|
|
164
|
-
}
|
|
165
|
-
// Check surrounding context (±20 lines for Java setFeature, ±10 for others)
|
|
166
|
-
const windowSize = lang === 'java' ? 20 : 10;
|
|
167
|
-
const start = Math.max(0, lineIndex - windowSize);
|
|
168
|
-
const end = Math.min(lines.length, lineIndex + windowSize + 1);
|
|
169
|
-
const context = lines.slice(start, end).join('\n');
|
|
170
|
-
return safePattern.test(context);
|
|
171
|
-
}
|
|
172
|
-
/**
|
|
173
|
-
* Detect XXE patterns in code
|
|
174
|
-
*/
|
|
175
|
-
function detectXXEPatterns(content, filePath, options) {
|
|
176
|
-
const vulnerabilities = [];
|
|
177
|
-
if ((0, context_helpers_1.isScannerOrFixtureFile)(filePath))
|
|
178
|
-
return vulnerabilities;
|
|
179
|
-
const isTestFile = (0, context_helpers_1.isTestOrMockFile)(filePath);
|
|
180
|
-
const lines = options?.parsed?.lines ?? content.split('\n');
|
|
181
|
-
for (let i = 0; i < lines.length; i++) {
|
|
182
|
-
const line = lines[i];
|
|
183
|
-
if ((0, context_helpers_1.isComment)(line))
|
|
184
|
-
continue;
|
|
185
|
-
for (const xxePattern of XXE_PATTERNS) {
|
|
186
|
-
// Check language extension match
|
|
187
|
-
if (!matchesLanguageExtension(filePath, xxePattern.extensions))
|
|
188
|
-
continue;
|
|
189
|
-
if (!xxePattern.pattern.test(line))
|
|
190
|
-
continue;
|
|
191
|
-
// Check for safe configuration
|
|
192
|
-
if (hasSafeConfig(content, lines, i, xxePattern.safe, xxePattern.lang))
|
|
193
|
-
continue;
|
|
194
|
-
let severity = xxePattern.severity || 'high';
|
|
195
|
-
// Downgrade for test files
|
|
196
|
-
if (isTestFile) {
|
|
197
|
-
severity = 'info';
|
|
198
|
-
}
|
|
199
|
-
// DOMParser in .tsx client files is inherently safe
|
|
200
|
-
if (xxePattern.lib === 'DOMParser' && (filePath.endsWith('.tsx') || filePath.endsWith('.jsx'))) {
|
|
201
|
-
severity = 'info';
|
|
202
|
-
}
|
|
203
|
-
vulnerabilities.push({
|
|
204
|
-
id: `xxe-${filePath}-${i + 1}-${xxePattern.lib}`,
|
|
205
|
-
filePath,
|
|
206
|
-
lineNumber: i + 1,
|
|
207
|
-
lineContent: line.trim(),
|
|
208
|
-
severity,
|
|
209
|
-
category: 'xxe',
|
|
210
|
-
title: `XXE risk: ${xxePattern.lib} XML parser without entity protection`,
|
|
211
|
-
description: `${xxePattern.lib} XML parser is used without disabling external entity processing. An attacker could supply malicious XML to read server files, perform SSRF, or cause denial-of-service.`,
|
|
212
|
-
suggestedFix: getSuggestedFix(xxePattern.lang, xxePattern.lib),
|
|
213
|
-
confidence: severity === 'high' ? 'high' : 'medium',
|
|
214
|
-
layer: 2,
|
|
215
|
-
requiresAIValidation: severity !== 'high',
|
|
216
|
-
});
|
|
217
|
-
break; // One finding per line
|
|
218
|
-
}
|
|
219
|
-
}
|
|
220
|
-
return vulnerabilities;
|
|
221
|
-
}
|
|
222
|
-
function getSuggestedFix(lang, lib) {
|
|
223
|
-
switch (lang) {
|
|
224
|
-
case 'python':
|
|
225
|
-
return 'Use defusedxml instead of the standard xml library: pip install defusedxml && from defusedxml.ElementTree import parse';
|
|
226
|
-
case 'java':
|
|
227
|
-
return 'Disable external entities: factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)';
|
|
228
|
-
case 'php':
|
|
229
|
-
return 'Disable entity loading: libxml_disable_entity_loader(true) before parsing XML';
|
|
230
|
-
case 'node':
|
|
231
|
-
if (lib === 'fast-xml-parser') {
|
|
232
|
-
return 'Disable entity processing: new XMLParser({ processEntities: false })';
|
|
233
|
-
}
|
|
234
|
-
if (lib === 'xml2js') {
|
|
235
|
-
return 'Consider upgrading to xml2js v0.5+ which has safer defaults, or use fast-xml-parser with processEntities: false';
|
|
236
|
-
}
|
|
237
|
-
return 'Disable external entity processing in the XML parser configuration';
|
|
238
|
-
default:
|
|
239
|
-
return 'Disable external entity processing in the XML parser configuration';
|
|
240
|
-
}
|
|
241
|
-
}
|
|
242
|
-
//# sourceMappingURL=xxe-detection.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"xxe-detection.js","sourceRoot":"","sources":["../../src/layer2/xxe-detection.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AA6MH,8CA0DC;AAnQD,8DAIiC;AAqBjC,MAAM,YAAY,GAAiB;IACjC,oDAAoD;IACpD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,QAAQ;QACb,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,QAAQ,EAAE,kDAAkD;QACtE,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3D;IACD;QACE,OAAO,EAAE,oBAAoB;QAC7B,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,UAAU;QACf,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IACD;QACE,OAAO,EAAE,sCAAsC;QAC/C,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,WAAW;QAChB,QAAQ,EAAE,KAAK,EAAE,gCAAgC;QACjD,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IACD;QACE,OAAO,EAAE,4BAA4B;QACrC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,QAAQ;QACb,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IACD;QACE,OAAO,EAAE,+BAA+B;QACxC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;KAC3C;IAED,mDAAmD;IACnD;QACE,OAAO,EAAE,uDAAuD;QAChE,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,uBAAuB;QAC5B,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IACD;QACE,OAAO,EAAE,sCAAsC;QAC/C,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,YAAY;QACjB,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IACD;QACE,OAAO,EAAE,0CAA0C;QACnD,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IACD;QACE,OAAO,EAAE,mBAAmB;QAC5B,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,YAAY;QAClB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,KAAK,CAAC;KACpB;IAED,iDAAiD;IACjD;QACE,OAAO,EAAE,qCAAqC;QAC9C,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,wBAAwB;QAC7B,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IACD;QACE,OAAO,EAAE,+BAA+B;QACxC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,kBAAkB;QACvB,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IACD;QACE,OAAO,EAAE,8BAA8B;QACvC,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,iBAAiB;QACtB,IAAI,EAAE,6CAA6C;QACnD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,MAAM;QACZ,GAAG,EAAE,oBAAoB;QACzB,IAAI,EAAE,gDAAgD;QACtD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,OAAO,CAAC;KACtB;IAED,gDAAgD;IAChD;QACE,OAAO,EAAE,2CAA2C;QACpD,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,WAAW;QAChB,IAAI,EAAE,4DAA4D;QAClE,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,MAAM,CAAC;KACrB;IACD;QACE,OAAO,EAAE,iCAAiC;QAC1C,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,aAAa;QAClB,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,MAAM,CAAC;KACrB;IACD;QACE,OAAO,EAAE,iBAAiB;QAC1B,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,WAAW;QAChB,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,CAAC,MAAM,CAAC;KACrB;CACF,CAAA;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,QAAgB,EAAE,UAAqB;IACvE,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAA;IAC5B,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAA;AACvD,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CACpB,OAAe,EACf,KAAe,EACf,SAAiB,EACjB,WAA+B,EAC/B,IAAY;IAEZ,IAAI,CAAC,WAAW;QAAE,OAAO,KAAK,CAAA;IAE9B,sDAAsD;IACtD,IAAI,IAAI,KAAK,QAAQ,IAAI,YAAY,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/D,IAAI,uCAAuC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1D,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,4EAA4E;IAC5E,MAAM,UAAU,GAAG,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;IAC5C,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,UAAU,CAAC,CAAA;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,CAAC,CAAC,CAAA;IAC9D,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAElD,OAAO,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;AAClC,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,OAAe,EACf,QAAgB,EAChB,OAAoB;IAEpB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAE5D,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC7C,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAE3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;QACrB,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,SAAQ;QAE7B,KAAK,MAAM,UAAU,IAAI,YAAY,EAAE,CAAC;YACtC,iCAAiC;YACjC,IAAI,CAAC,wBAAwB,CAAC,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC;gBAAE,SAAQ;YAExE,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAE5C,+BAA+B;YAC/B,IAAI,aAAa,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,IAAI,CAAC;gBAAE,SAAQ;YAEhF,IAAI,QAAQ,GAA0B,UAAU,CAAC,QAAQ,IAAI,MAAM,CAAA;YAEnE,2BAA2B;YAC3B,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,GAAG,MAAM,CAAA;YACnB,CAAC;YAED,oDAAoD;YACpD,IAAI,UAAU,CAAC,GAAG,KAAK,WAAW,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBAC/F,QAAQ,GAAG,MAAM,CAAA;YACnB,CAAC;YAED,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,GAAG,EAAE;gBAChD,QAAQ;gBACR,UAAU,EAAE,CAAC,GAAG,CAAC;gBACjB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;gBACxB,QAAQ;gBACR,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,aAAa,UAAU,CAAC,GAAG,uCAAuC;gBACzE,WAAW,EACT,GAAG,UAAU,CAAC,GAAG,0KAA0K;gBAC7L,YAAY,EAAE,eAAe,CAAC,UAAU,CAAC,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC;gBAC9D,UAAU,EAAE,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;gBACnD,KAAK,EAAE,CAAC;gBACR,oBAAoB,EAAE,QAAQ,KAAK,MAAM;aAC1C,CAAC,CAAA;YAEF,MAAK,CAAC,uBAAuB;QAC/B,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,SAAS,eAAe,CAAC,IAAY,EAAE,GAAW;IAChD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,QAAQ;YACX,OAAO,wHAAwH,CAAA;QACjI,KAAK,MAAM;YACT,OAAO,6GAA6G,CAAA;QACtH,KAAK,KAAK;YACR,OAAO,+EAA+E,CAAA;QACxF,KAAK,MAAM;YACT,IAAI,GAAG,KAAK,iBAAiB,EAAE,CAAC;gBAC9B,OAAO,sEAAsE,CAAA;YAC/E,CAAC;YACD,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;gBACrB,OAAO,iHAAiH,CAAA;YAC1H,CAAC;YACD,OAAO,oEAAoE,CAAA;QAC7E;YACE,OAAO,oEAAoE,CAAA;IAC/E,CAAC;AACH,CAAC"}
|
|
@@ -1,24 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Smart Auto-Dismiss Rules
|
|
3
|
-
*
|
|
4
|
-
* Instant filtering rules that don't require AI validation.
|
|
5
|
-
* These rules catch obvious false positives before sending to AI.
|
|
6
|
-
*/
|
|
7
|
-
import type { Vulnerability } from '../../types';
|
|
8
|
-
/**
|
|
9
|
-
* Apply smart auto-dismiss rules to filter obvious false positives
|
|
10
|
-
* Returns findings that should be sent to AI validation
|
|
11
|
-
*
|
|
12
|
-
* @param findings - Array of vulnerabilities to filter
|
|
13
|
-
* @param mode - 'validation' applies all rules (for AI validation candidates),
|
|
14
|
-
* 'surface' excludes cost-saving rules (for direct-surface findings)
|
|
15
|
-
*/
|
|
16
|
-
export declare function applyAutoDismissRules(findings: Vulnerability[], mode?: 'validation' | 'surface'): {
|
|
17
|
-
toValidate: Vulnerability[];
|
|
18
|
-
dismissed: Array<{
|
|
19
|
-
finding: Vulnerability;
|
|
20
|
-
rule: string;
|
|
21
|
-
reason: string;
|
|
22
|
-
}>;
|
|
23
|
-
};
|
|
24
|
-
//# sourceMappingURL=auto-dismiss.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"auto-dismiss.d.ts","sourceRoot":"","sources":["../../../src/layer3/anthropic/auto-dismiss.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AA2KhD;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,aAAa,EAAE,EACzB,IAAI,GAAE,YAAY,GAAG,SAAwB,GAC5C;IACD,UAAU,EAAE,aAAa,EAAE,CAAA;IAC3B,SAAS,EAAE,KAAK,CAAC;QAAE,OAAO,EAAE,aAAa,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAC3E,CA8BA"}
|
|
@@ -1,199 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
/**
|
|
3
|
-
* Smart Auto-Dismiss Rules
|
|
4
|
-
*
|
|
5
|
-
* Instant filtering rules that don't require AI validation.
|
|
6
|
-
* These rules catch obvious false positives before sending to AI.
|
|
7
|
-
*/
|
|
8
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
-
exports.applyAutoDismissRules = applyAutoDismissRules;
|
|
10
|
-
const context_helpers_1 = require("../../utils/context-helpers");
|
|
11
|
-
const tiers_1 = require("../../tiers");
|
|
12
|
-
// ============================================================================
|
|
13
|
-
// Auto-Dismiss Rules
|
|
14
|
-
// ============================================================================
|
|
15
|
-
const AUTO_DISMISS_RULES = [
|
|
16
|
-
// Test files - often contain intentional "vulnerable" patterns for testing
|
|
17
|
-
{
|
|
18
|
-
name: 'test_file',
|
|
19
|
-
check: (finding) => (0, context_helpers_1.isTestOrMockFile)(finding.filePath),
|
|
20
|
-
reason: 'Finding in test/mock file',
|
|
21
|
-
},
|
|
22
|
-
// Example/demo code - not production code
|
|
23
|
-
{
|
|
24
|
-
name: 'example_file',
|
|
25
|
-
check: (finding) => (0, context_helpers_1.isExampleFile)(finding.filePath),
|
|
26
|
-
reason: 'Finding in example/demo file',
|
|
27
|
-
},
|
|
28
|
-
// Documentation files
|
|
29
|
-
{
|
|
30
|
-
name: 'documentation_file',
|
|
31
|
-
check: (finding) => /\.(md|mdx|txt|rst)$/i.test(finding.filePath),
|
|
32
|
-
reason: 'Finding in documentation file',
|
|
33
|
-
},
|
|
34
|
-
// Scanner/security tool code itself
|
|
35
|
-
{
|
|
36
|
-
name: 'scanner_code',
|
|
37
|
-
check: (finding) => (0, context_helpers_1.isScannerOrFixtureFile)(finding.filePath),
|
|
38
|
-
reason: 'Finding in scanner/fixture code',
|
|
39
|
-
},
|
|
40
|
-
// Environment variable references (not hardcoded secrets)
|
|
41
|
-
{
|
|
42
|
-
name: 'env_var_reference',
|
|
43
|
-
check: (finding) => {
|
|
44
|
-
if (finding.category !== 'hardcoded_secret' && finding.category !== 'high_entropy_string') {
|
|
45
|
-
return false;
|
|
46
|
-
}
|
|
47
|
-
return (0, context_helpers_1.isEnvVarReference)(finding.lineContent);
|
|
48
|
-
},
|
|
49
|
-
reason: 'Uses environment variable (not hardcoded)',
|
|
50
|
-
},
|
|
51
|
-
// Public health check endpoints don't need auth
|
|
52
|
-
{
|
|
53
|
-
name: 'health_check_endpoint',
|
|
54
|
-
check: (finding) => {
|
|
55
|
-
if (finding.category !== 'missing_auth')
|
|
56
|
-
return false;
|
|
57
|
-
return (0, context_helpers_1.isPublicEndpoint)(finding.lineContent, finding.filePath);
|
|
58
|
-
},
|
|
59
|
-
reason: 'Public health check endpoint (auth not required)',
|
|
60
|
-
},
|
|
61
|
-
// CSS/Tailwind classes flagged as high entropy
|
|
62
|
-
{
|
|
63
|
-
name: 'css_classes',
|
|
64
|
-
check: (finding) => {
|
|
65
|
-
if (finding.category !== 'high_entropy_string')
|
|
66
|
-
return false;
|
|
67
|
-
const cssIndicators = ['flex', 'grid', 'text-', 'bg-', 'px-', 'py-', 'rounded', 'shadow', 'hover:', 'dark:'];
|
|
68
|
-
const lowerLine = finding.lineContent.toLowerCase();
|
|
69
|
-
const matchCount = cssIndicators.filter(ind => lowerLine.includes(ind)).length;
|
|
70
|
-
return matchCount >= 2;
|
|
71
|
-
},
|
|
72
|
-
reason: 'CSS/Tailwind classes (not a secret)',
|
|
73
|
-
},
|
|
74
|
-
// Comment lines shouldn't be flagged for most categories
|
|
75
|
-
{
|
|
76
|
-
name: 'comment_line',
|
|
77
|
-
check: (finding) => {
|
|
78
|
-
// Some categories are valid in comments (e.g., TODO security)
|
|
79
|
-
if (finding.category === 'ai_pattern')
|
|
80
|
-
return false;
|
|
81
|
-
return (0, context_helpers_1.isComment)(finding.lineContent);
|
|
82
|
-
},
|
|
83
|
-
reason: 'Code comment (not executable)',
|
|
84
|
-
},
|
|
85
|
-
// Info severity already - no need to validate
|
|
86
|
-
// BUT: Only auto-dismiss info-severity for Tier A (core) findings
|
|
87
|
-
// Tier B (ai_assisted) findings MUST go through AI validation even at info severity
|
|
88
|
-
// because detectors may have pre-downgraded them based on partial context
|
|
89
|
-
{
|
|
90
|
-
name: 'info_severity_core_only',
|
|
91
|
-
check: (finding) => {
|
|
92
|
-
if (finding.severity !== 'info')
|
|
93
|
-
return false;
|
|
94
|
-
// Only auto-dismiss info-severity for Tier A (core) findings
|
|
95
|
-
// Tier B should always go through AI for proper validation
|
|
96
|
-
const tier = (0, tiers_1.getTierForCategory)(finding.category, finding.layer);
|
|
97
|
-
return tier === 'core';
|
|
98
|
-
},
|
|
99
|
-
reason: 'Already info severity for core detector (low priority)',
|
|
100
|
-
},
|
|
101
|
-
// Generic success/error messages in ai_pattern
|
|
102
|
-
{
|
|
103
|
-
name: 'generic_message',
|
|
104
|
-
check: (finding) => {
|
|
105
|
-
if (finding.category !== 'ai_pattern')
|
|
106
|
-
return false;
|
|
107
|
-
const genericPatterns = [
|
|
108
|
-
/['"`](success|done|ok|completed|finished|saved|updated|deleted|created)['"`]/i,
|
|
109
|
-
/['"`]something went wrong['"`]/i,
|
|
110
|
-
/['"`]an error occurred['"`]/i,
|
|
111
|
-
/console\.(log|info|debug)\s*\(\s*['"`][^'"]+['"`]\s*\)/i,
|
|
112
|
-
];
|
|
113
|
-
return genericPatterns.some(p => p.test(finding.lineContent));
|
|
114
|
-
},
|
|
115
|
-
reason: 'Generic UI message (not security-relevant)',
|
|
116
|
-
},
|
|
117
|
-
// Type definitions with 'any' - often necessary for third-party libs
|
|
118
|
-
{
|
|
119
|
-
name: 'type_definition_any',
|
|
120
|
-
check: (finding) => {
|
|
121
|
-
if (finding.category !== 'ai_pattern')
|
|
122
|
-
return false;
|
|
123
|
-
if (!finding.title.toLowerCase().includes('any'))
|
|
124
|
-
return false;
|
|
125
|
-
// Check if it's in a .d.ts file or type definition context
|
|
126
|
-
if (finding.filePath.includes('.d.ts'))
|
|
127
|
-
return true;
|
|
128
|
-
const typeDefPatterns = [/^type\s+\w+\s*=/, /^interface\s+\w+/, /declare\s+(const|let|var|function|class)/];
|
|
129
|
-
return typeDefPatterns.some(p => p.test(finding.lineContent.trim()));
|
|
130
|
-
},
|
|
131
|
-
reason: 'Type definition (not runtime code)',
|
|
132
|
-
},
|
|
133
|
-
// setTimeout/setInterval magic numbers - code style, not security
|
|
134
|
-
{
|
|
135
|
-
name: 'timeout_magic_number',
|
|
136
|
-
check: (finding) => {
|
|
137
|
-
if (finding.category !== 'ai_pattern')
|
|
138
|
-
return false;
|
|
139
|
-
return /set(Timeout|Interval)\s*\([^,]+,\s*\d+\s*\)/.test(finding.lineContent);
|
|
140
|
-
},
|
|
141
|
-
reason: 'Timeout value (code style, not security)',
|
|
142
|
-
},
|
|
143
|
-
// Low-value AI pattern findings - code quality, not security
|
|
144
|
-
{
|
|
145
|
-
name: 'low_severity_ai_pattern',
|
|
146
|
-
check: (finding) => {
|
|
147
|
-
if (finding.category !== 'ai_pattern')
|
|
148
|
-
return false;
|
|
149
|
-
return finding.severity === 'info' || finding.severity === 'low';
|
|
150
|
-
},
|
|
151
|
-
reason: 'Low-severity AI pattern (code quality, not security vulnerability)',
|
|
152
|
-
},
|
|
153
|
-
];
|
|
154
|
-
// ============================================================================
|
|
155
|
-
// Apply Auto-Dismiss Rules
|
|
156
|
-
// ============================================================================
|
|
157
|
-
/**
|
|
158
|
-
* Rules that should NOT be applied to direct-surface findings.
|
|
159
|
-
* These rules are designed to reduce AI validation costs, not to suppress findings entirely.
|
|
160
|
-
*/
|
|
161
|
-
const VALIDATION_ONLY_RULES = new Set([
|
|
162
|
-
'info_severity_core_only', // Info findings should surface, just not go through expensive AI validation
|
|
163
|
-
'low_severity_ai_pattern', // Low/info AI patterns are code quality, not security — skip AI validation
|
|
164
|
-
]);
|
|
165
|
-
/**
|
|
166
|
-
* Apply smart auto-dismiss rules to filter obvious false positives
|
|
167
|
-
* Returns findings that should be sent to AI validation
|
|
168
|
-
*
|
|
169
|
-
* @param findings - Array of vulnerabilities to filter
|
|
170
|
-
* @param mode - 'validation' applies all rules (for AI validation candidates),
|
|
171
|
-
* 'surface' excludes cost-saving rules (for direct-surface findings)
|
|
172
|
-
*/
|
|
173
|
-
function applyAutoDismissRules(findings, mode = 'validation') {
|
|
174
|
-
const toValidate = [];
|
|
175
|
-
const dismissed = [];
|
|
176
|
-
// Filter rules based on mode
|
|
177
|
-
const applicableRules = mode === 'surface'
|
|
178
|
-
? AUTO_DISMISS_RULES.filter(rule => !VALIDATION_ONLY_RULES.has(rule.name))
|
|
179
|
-
: AUTO_DISMISS_RULES;
|
|
180
|
-
for (const finding of findings) {
|
|
181
|
-
let wasDismissed = false;
|
|
182
|
-
for (const rule of applicableRules) {
|
|
183
|
-
if (rule.check(finding)) {
|
|
184
|
-
dismissed.push({
|
|
185
|
-
finding,
|
|
186
|
-
rule: rule.name,
|
|
187
|
-
reason: rule.reason,
|
|
188
|
-
});
|
|
189
|
-
wasDismissed = true;
|
|
190
|
-
break;
|
|
191
|
-
}
|
|
192
|
-
}
|
|
193
|
-
if (!wasDismissed) {
|
|
194
|
-
toValidate.push(finding);
|
|
195
|
-
}
|
|
196
|
-
}
|
|
197
|
-
return { toValidate, dismissed };
|
|
198
|
-
}
|
|
199
|
-
//# sourceMappingURL=auto-dismiss.js.map
|