npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/dist/layer2/dangerous-functions/json-parse.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * JSON.parse Detection
+ *
+ * Source-aware detection of JSON.parse usage with severity classification
+ * based on the data source and error handling context.
+ */
+import type { Vulnerability } from '../../types';
+/**
+ * JSON.parse source classification
+ * Determines if the input is user-controlled or internal data
+ */
+export type JSONParseSource = 'user_input' | 'local_storage' | 'database' | 'config' | 'migration' | 'internal' | 'test_fixture' | 'ui_state' | 'unknown';
+/**
+ * Check if file path indicates a low-risk context for JSON.parse
+ */
+export declare function isLowRiskJSONParseFile(filePath: string): JSONParseSource | null;
+/**
+ * Check if JSON.parse is parsing a trusted SDK response
+ * These are well-defined responses from known APIs and are safe to parse
+ */
+export declare function isTrustedSDKResponse(lineContent: string, content: string): boolean;
+/**
+ * Classify the source of data being passed to JSON.parse
+ */
+export declare function classifyJSONParseSource(lineContent: string, filePath: string): JSONParseSource;
+/**
+ * Detect JSON.parse usage with source-aware severity
+ * Much smarter than simple pattern matching - considers try/catch and data source
+ */
+export declare function detectJSONParseSafe(content: string, filePath: string, isTestFile: boolean, vulnerabilities: Vulnerability[]): void;
+//# sourceMappingURL=json-parse.d.ts.map

package/dist/layer2/dangerous-functions/json-parse.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"json-parse.d.ts","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/json-parse.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAyB,MAAM,aAAa,CAAA;AAKvE;;;GAGG;AACH,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,eAAe,GACf,UAAU,GACV,QAAQ,GACR,WAAW,GACX,UAAU,GACV,cAAc,GACd,UAAU,GACV,SAAS,CAAA;AAEb;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CA+C/E;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CA0BlF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,MAAM,GACf,eAAe,CAoEjB;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,OAAO,EACnB,eAAe,EAAE,aAAa,EAAE,GAC/B,IAAI,CA4LN"}

package/dist/layer2/dangerous-functions/json-parse.js ADDED Viewed

@@ -0,0 +1,319 @@
+"use strict";
+/**
+ * JSON.parse Detection
+ *
+ * Source-aware detection of JSON.parse usage with severity classification
+ * based on the data source and error handling context.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isLowRiskJSONParseFile = isLowRiskJSONParseFile;
+exports.isTrustedSDKResponse = isTrustedSDKResponse;
+exports.classifyJSONParseSource = classifyJSONParseSource;
+exports.detectJSONParseSafe = detectJSONParseSafe;
+const context_helpers_1 = require("../../utils/context-helpers");
+const control_flow_1 = require("./utils/control-flow");
+const schema_validation_1 = require("./utils/schema-validation");
+/**
+ * Check if file path indicates a low-risk context for JSON.parse
+ */
+function isLowRiskJSONParseFile(filePath) {
+    // Test/mock files - skip or info only
+    if ((0, context_helpers_1.isTestOrMockFile)(filePath)) {
+        return 'test_fixture';
+    }
+    // Settings/preferences components - internal UI state
+    if (/\/(components|pages)\/(settings|preferences|config)/i.test(filePath)) {
+        return 'ui_state';
+    }
+    // Provider/context files - typically storing state in localStorage
+    if (/Provider\.(ts|tsx|js|jsx)$/i.test(filePath)) {
+        return 'ui_state';
+    }
+    // Modal/Dialog components - typically internal state
+    if (/(Modal|Dialog|Settings|Preferences)\.(ts|tsx|js|jsx)$/i.test(filePath)) {
+        return 'ui_state';
+    }
+    // __mocks__ directory
+    if (/__mocks__/i.test(filePath)) {
+        return 'test_fixture';
+    }
+    // fixtures directory
+    if (/\/(fixtures?|stubs?|mocks?)\//i.test(filePath)) {
+        return 'test_fixture';
+    }
+    // scripts/tools directories (internal tooling)
+    if (/\/(scripts?|tools?|cli)\//i.test(filePath)) {
+        return 'internal';
+    }
+    // Migration files
+    if (/migration/i.test(filePath)) {
+        return 'migration';
+    }
+    // Config files
+    if (/\/(config|settings|constants)\.(ts|js)/i.test(filePath)) {
+        return 'config';
+    }
+    return null;
+}
+/**
+ * Check if JSON.parse is parsing a trusted SDK response
+ * These are well-defined responses from known APIs and are safe to parse
+ */
+function isTrustedSDKResponse(lineContent, content) {
+    const trustedPatterns = [
+        // OpenAI SDK responses
+        /JSON\.parse\s*\(\s*(?:response|completion|result|message)\.(?:content|text|data)/i,
+        /JSON\.parse\s*\(\s*(?:openai|anthropic|client)\./i,
+        // Fetch response.json() result (already parsed by fetch)
+        /JSON\.parse\s*\(\s*await\s+.*\.json\s*\(\s*\)\s*\)/i,
+        // SDK method results
+        /JSON\.parse\s*\(\s*(?:result|response)\.(?:choices|content|data|body)\[/i,
+        // AI SDK streaming results
+        /JSON\.parse\s*\(\s*(?:chunk|delta|part)\.(?:content|text)/i,
+    ];
+    if (trustedPatterns.some(p => p.test(lineContent))) {
+        return true;
+    }
+    // Check surrounding context for SDK usage
+    const sdkContextPatterns = [
+        /openai\..*\.create/i,
+        /anthropic\..*\.create/i,
+        /\.chat\.completions/i,
+        /\.messages\.create/i,
+    ];
+    return sdkContextPatterns.some(p => p.test(content));
+}
+/**
+ * Classify the source of data being passed to JSON.parse
+ */
+function classifyJSONParseSource(lineContent, filePath) {
+    // First check file path for low-risk contexts
+    const fileBasedSource = isLowRiskJSONParseFile(filePath);
+    if (fileBasedSource) {
+        return fileBasedSource;
+    }
+    // User input - potentially dangerous
+    const userInputPatterns = [
+        /JSON\.parse\s*\(\s*(req|request)\.(body|query|params)/i,
+        /JSON\.parse\s*\(\s*event\.(body|queryStringParameters)/i, // AWS Lambda
+        /JSON\.parse\s*\(\s*ctx\.(request|body|query)/i, // Koa
+        /JSON\.parse\s*\(\s*(input|userInput|rawInput|payload)/i,
+        /JSON\.parse\s*\(\s*body\b/i, // Generic 'body' often means request body
+    ];
+    if (userInputPatterns.some(p => p.test(lineContent))) {
+        return 'user_input';
+    }
+    // localStorage/sessionStorage - client-side storage
+    const storagePatterns = [
+        /JSON\.parse\s*\(\s*localStorage\.getItem/i,
+        /JSON\.parse\s*\(\s*sessionStorage\.getItem/i,
+        /JSON\.parse\s*\(\s*window\.localStorage/i,
+        /JSON\.parse\s*\(\s*storage\.get/i,
+        /JSON\.parse\s*\(\s*saved\b/i, // Common pattern: const saved = localStorage.getItem(...); JSON.parse(saved)
+        /JSON\.parse\s*\(\s*stored\b/i,
+    ];
+    if (storagePatterns.some(p => p.test(lineContent))) {
+        return 'local_storage';
+    }
+    // Database results - internal data
+    const databasePatterns = [
+        /JSON\.parse\s*\(\s*(row|result|record|doc|document)\./i,
+        /JSON\.parse\s*\(\s*\w+\.(data|json|metadata|embedding)\)/i,
+        /JSON\.parse\s*\(\s*\w+\[['"]?\w+['"]?\]\.(data|json|embedding)/i,
+        /JSON\.parse\s*\(\s*item\.\w+\)/i, // ORM iteration: items.map(item => JSON.parse(item.field))
+        /JSON\.parse\s*\(\s*\w+\.content\)/i, // Parsing content field from DB
+    ];
+    if (databasePatterns.some(p => p.test(lineContent))) {
+        return 'database';
+    }
+    // Editor state, internal caches, UI state
+    const internalPatterns = [
+        /JSON\.parse\s*\(\s*(state|cache|stored|saved|cached)/i,
+        /JSON\.parse\s*\(\s*this\.(state|cache|data)/i,
+        /JSON\.parse\s*\(\s*\w+State\)/i,
+        /JSON\.parse\s*\(\s*editorState/i,
+        /JSON\.parse\s*\(\s*parsed\b/i, // JSON.parse(parsed) - likely already validated
+        /JSON\.parse\s*\(\s*settings\b/i, // Settings data
+        /JSON\.parse\s*\(\s*preferences\b/i,
+    ];
+    if (internalPatterns.some(p => p.test(lineContent))) {
+        return 'internal';
+    }
+    // Node content in editor apps (e.g., noda-os nodes have JSON content)
+    if (/JSON\.parse\s*\(\s*(node|note|document|entry)\.(content|body|data)\)/i.test(lineContent)) {
+        return 'database';
+    }
+    return 'unknown';
+}
+/**
+ * Detect JSON.parse usage with source-aware severity
+ * Much smarter than simple pattern matching - considers try/catch and data source
+ */
+function detectJSONParseSafe(content, filePath, isTestFile, vulnerabilities) {
+    const lines = content.split('\n');
+    const jsonParsePattern = /JSON\.parse\s*\(/gi;
+    // Track instances per file to aggregate noisy patterns
+    const instances = [];
+    lines.forEach((line, index) => {
+        if ((0, context_helpers_1.isComment)(line))
+            return;
+        jsonParsePattern.lastIndex = 0;
+        if (!jsonParsePattern.test(line))
+            return;
+        const jsonSource = classifyJSONParseSource(line, filePath);
+        // Skip migration files entirely - they're internal tooling
+        if (jsonSource === 'migration')
+            return;
+        // Skip test fixtures entirely - they're intentionally parsing test data
+        if (jsonSource === 'test_fixture')
+            return;
+        // Skip trusted SDK responses - these are well-defined and safe to parse
+        if (isTrustedSDKResponse(line, content))
+            return;
+        // Check if JSON.parse is inside a try-catch block
+        const insideTryCatch = (0, control_flow_1.isInsideTryCatch)(content, index) || (0, control_flow_1.hasTryCatchNearby)(content, index);
+        // Check if schema validation is applied after JSON.parse
+        const hasSchemaValidation = (0, schema_validation_1.hasSchemaValidationNearby)(content, index);
+        // If inside try-catch with safe source, suppress entirely - this is perfectly fine
+        if (insideTryCatch &&
+            ['local_storage', 'database', 'config', 'internal', 'ui_state'].includes(jsonSource)) {
+            return;
+        }
+        // If schema validation is present, this is properly handled
+        if (hasSchemaValidation) {
+            return;
+        }
+        // UI state (settings, providers, modals) - very low risk, aggregate or skip
+        if (jsonSource === 'ui_state') {
+            // Only track for aggregation, don't report individually
+            instances.push({
+                lineNumber: index + 1,
+                lineContent: line.trim(),
+                source: jsonSource,
+            });
+            return;
+        }
+        // Determine severity based on source and error handling
+        let severity;
+        let description;
+        let suggestedFix;
+        let confidence = 'medium';
+        if (insideTryCatch) {
+            // Already has error handling
+            switch (jsonSource) {
+                case 'user_input':
+                    severity = 'low';
+                    description =
+                        'JSON.parse on user input is wrapped in try-catch. Consider adding schema validation (zod/yup) to validate the parsed structure.';
+                    suggestedFix =
+                        'Add schema validation after parsing: const validated = schema.parse(JSON.parse(input))';
+                    confidence = 'low';
+                    break;
+                default:
+                    // With try-catch and non-user source, this is fine - don't report
+                    return;
+            }
+        }
+        else {
+            // No try-catch
+            switch (jsonSource) {
+                case 'user_input':
+                    severity = 'medium';
+                    description =
+                        'JSON.parse on user input without schema validation. Malformed input will crash; malicious input may have unexpected shape.';
+                    suggestedFix =
+                        'Use a schema validation library (zod, yup, joi): try { const data = schema.parse(JSON.parse(body)) } catch (e) { return 400 }';
+                    confidence = 'high';
+                    break;
+                case 'local_storage':
+                    severity = 'info';
+                    description =
+                        'JSON.parse on localStorage data. Consider adding try-catch for robustness against corrupted data.';
+                    suggestedFix =
+                        'Wrap in try-catch to handle corrupted localStorage gracefully.';
+                    confidence = 'low';
+                    break;
+                case 'database':
+                    // Database content parsing is very common and low-risk
+                    instances.push({
+                        lineNumber: index + 1,
+                        lineContent: line.trim(),
+                        source: jsonSource,
+                    });
+                    return; // Will be aggregated below
+                case 'config':
+                case 'internal':
+                    severity = 'info';
+                    description = `JSON.parse on ${jsonSource.replace('_', ' ')} data without error handling. Low risk but consider defensive coding.`;
+                    suggestedFix = 'Consider adding try-catch for robustness.';
+                    confidence = 'low';
+                    break;
+                default:
+                    // Unknown source - track for potential aggregation
+                    instances.push({
+                        lineNumber: index + 1,
+                        lineContent: line.trim(),
+                        source: jsonSource,
+                    });
+                    return; // Will be evaluated below based on aggregation
+            }
+        }
+        // Downgrade test files
+        if (isTestFile) {
+            severity = 'info';
+            confidence = 'low';
+            description += ' (in test file)';
+        }
+        vulnerabilities.push({
+            id: `json-parse-${filePath}-${index + 1}`,
+            filePath,
+            lineNumber: index + 1,
+            lineContent: line.trim(),
+            severity,
+            category: 'dangerous_function',
+            title: 'JSON.parse usage',
+            description,
+            suggestedFix,
+            confidence,
+            layer: 2,
+        });
+    });
+    // Aggregate low-risk JSON.parse instances if there are many
+    if (instances.length >= 3) {
+        // Create single aggregated finding instead of N individual findings
+        const lineNumbers = instances.map(i => i.lineNumber).slice(0, 5);
+        const moreText = instances.length > 5 ? `... (${instances.length} total)` : '';
+        vulnerabilities.push({
+            id: `json-parse-aggregated-${filePath}`,
+            filePath,
+            lineNumber: instances[0].lineNumber,
+            lineContent: `${instances.length} instances across this file`,
+            severity: 'info',
+            category: 'dangerous_function',
+            title: `JSON.parse usage (${instances.length} instances)`,
+            description: `JSON.parse detected. Consider adding error handling and schema validation if parsing user input.${isTestFile ? ' (in test file)' : ''}\n\nFound ${instances.length} occurrences at lines: ${lineNumbers.join(', ')}${moreText}`,
+            suggestedFix: 'Add try-catch for error handling. If parsing user input, add schema validation.',
+            confidence: 'low',
+            layer: 2,
+        });
+    }
+    else if (instances.length > 0 && instances.length < 3) {
+        // Report individually for small counts
+        for (const instance of instances) {
+            vulnerabilities.push({
+                id: `json-parse-${filePath}-${instance.lineNumber}`,
+                filePath,
+                lineNumber: instance.lineNumber,
+                lineContent: instance.lineContent,
+                severity: 'info',
+                category: 'dangerous_function',
+                title: 'JSON.parse usage',
+                description: `JSON.parse on ${instance.source.replace('_', ' ')} data without error handling. Low risk but consider defensive coding.${isTestFile ? ' (in test file)' : ''}`,
+                suggestedFix: 'Consider adding try-catch for robustness.',
+                confidence: 'low',
+                layer: 2,
+            });
+        }
+    }
+}
+//# sourceMappingURL=json-parse.js.map

package/dist/layer2/dangerous-functions/json-parse.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"json-parse.js","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/json-parse.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAyBH,wDA+CC;AAMD,oDA0BC;AAKD,0DAuEC;AAMD,kDAiMC;AAxXD,iEAAyE;AACzE,uDAA0E;AAC1E,iEAAqE;AAiBrE;;GAEG;AACH,SAAgB,sBAAsB,CAAC,QAAgB;IACrD,sCAAsC;IACtC,IAAI,IAAA,kCAAgB,EAAC,QAAQ,CAAC,EAAE,CAAC;QAC/B,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,sDAAsD;IACtD,IAAI,sDAAsD,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1E,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,mEAAmE;IACnE,IAAI,6BAA6B,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACjD,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,qDAAqD;IACrD,IAAI,wDAAwD,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5E,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,sBAAsB;IACtB,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChC,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,qBAAqB;IACrB,IAAI,gCAAgC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpD,OAAO,cAAc,CAAA;IACvB,CAAC;IAED,+CAA+C;IAC/C,IAAI,4BAA4B,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChD,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,kBAAkB;IAClB,IAAI,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChC,OAAO,WAAW,CAAA;IACpB,CAAC;IAED,eAAe;IACf,IAAI,yCAAyC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7D,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;;GAGG;AACH,SAAgB,oBAAoB,CAAC,WAAmB,EAAE,OAAe;IACvE,MAAM,eAAe,GAAG;QACtB,uBAAuB;QACvB,mFAAmF;QACnF,mDAAmD;QACnD,yDAAyD;QACzD,qDAAqD;QACrD,qBAAqB;QACrB,0EAA0E;QAC1E,2BAA2B;QAC3B,4DAA4D;KAC7D,CAAA;IAED,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACnD,OAAO,IAAI,CAAA;IACb,CAAC;IAED,0CAA0C;IAC1C,MAAM,kBAAkB,GAAG;QACzB,qBAAqB;QACrB,wBAAwB;QACxB,sBAAsB;QACtB,qBAAqB;KACtB,CAAA;IAED,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAgB,uBAAuB,CACrC,WAAmB,EACnB,QAAgB;IAEhB,8CAA8C;IAC9C,MAAM,eAAe,GAAG,sBAAsB,CAAC,QAAQ,CAAC,CAAA;IACxD,IAAI,eAAe,EAAE,CAAC;QACpB,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,qCAAqC;IACrC,MAAM,iBAAiB,GAAG;QACxB,wDAAwD;QACxD,yDAAyD,EAAE,aAAa;QACxE,+CAA+C,EAAE,MAAM;QACvD,wDAAwD;QACxD,4BAA4B,EAAE,0CAA0C;KACzE,CAAA;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACrD,OAAO,YAAY,CAAA;IACrB,CAAC;IAED,oDAAoD;IACpD,MAAM,eAAe,GAAG;QACtB,2CAA2C;QAC3C,6CAA6C;QAC7C,0CAA0C;QAC1C,kCAAkC;QAClC,6BAA6B,EAAE,6EAA6E;QAC5G,8BAA8B;KAC/B,CAAA;IACD,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACnD,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,mCAAmC;IACnC,MAAM,gBAAgB,GAAG;QACvB,wDAAwD;QACxD,2DAA2D;QAC3D,iEAAiE;QACjE,iCAAiC,EAAE,2DAA2D;QAC9F,oCAAoC,EAAE,gCAAgC;KACvE,CAAA;IACD,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACpD,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,0CAA0C;IAC1C,MAAM,gBAAgB,GAAG;QACvB,uDAAuD;QACvD,8CAA8C;QAC9C,gCAAgC;QAChC,iCAAiC;QACjC,8BAA8B,EAAE,gDAAgD;QAChF,gCAAgC,EAAE,gBAAgB;QAClD,mCAAmC;KACpC,CAAA;IACD,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;QACpD,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,sEAAsE;IACtE,IACE,uEAAuE,CAAC,IAAI,CAC1E,WAAW,CACZ,EACD,CAAC;QACD,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;GAGG;AACH,SAAgB,mBAAmB,CACjC,OAAe,EACf,QAAgB,EAChB,UAAmB,EACnB,eAAgC;IAEhC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,gBAAgB,GAAG,oBAAoB,CAAA;IAE7C,uDAAuD;IACvD,MAAM,SAAS,GAIT,EAAE,CAAA;IAER,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,IAAI,IAAA,2BAAS,EAAC,IAAI,CAAC;YAAE,OAAM;QAE3B,gBAAgB,CAAC,SAAS,GAAG,CAAC,CAAA;QAC9B,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAM;QAExC,MAAM,UAAU,GAAG,uBAAuB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QAE1D,2DAA2D;QAC3D,IAAI,UAAU,KAAK,WAAW;YAAE,OAAM;QAEtC,wEAAwE;QACxE,IAAI,UAAU,KAAK,cAAc;YAAE,OAAM;QAEzC,wEAAwE;QACxE,IAAI,oBAAoB,CAAC,IAAI,EAAE,OAAO,CAAC;YAAE,OAAM;QAE/C,kDAAkD;QAClD,MAAM,cAAc,GAClB,IAAA,+BAAgB,EAAC,OAAO,EAAE,KAAK,CAAC,IAAI,IAAA,gCAAiB,EAAC,OAAO,EAAE,KAAK,CAAC,CAAA;QAEvE,yDAAyD;QACzD,MAAM,mBAAmB,GAAG,IAAA,6CAAyB,EAAC,OAAO,EAAE,KAAK,CAAC,CAAA;QAErE,mFAAmF;QACnF,IACE,cAAc;YACd,CAAC,eAAe,EAAE,UAAU,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC,QAAQ,CACtE,UAAU,CACX,EACD,CAAC;YACD,OAAM;QACR,CAAC;QAED,4DAA4D;QAC5D,IAAI,mBAAmB,EAAE,CAAC;YACxB,OAAM;QACR,CAAC;QAED,4EAA4E;QAC5E,IAAI,UAAU,KAAK,UAAU,EAAE,CAAC;YAC9B,wDAAwD;YACxD,SAAS,CAAC,IAAI,CAAC;gBACb,UAAU,EAAE,KAAK,GAAG,CAAC;gBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;gBACxB,MAAM,EAAE,UAAU;aACnB,CAAC,CAAA;YACF,OAAM;QACR,CAAC;QAED,wDAAwD;QACxD,IAAI,QAA+B,CAAA;QACnC,IAAI,WAAmB,CAAA;QACvB,IAAI,YAAoB,CAAA;QACxB,IAAI,UAAU,GAA8B,QAAQ,CAAA;QAEpD,IAAI,cAAc,EAAE,CAAC;YACnB,6BAA6B;YAC7B,QAAQ,UAAU,EAAE,CAAC;gBACnB,KAAK,YAAY;oBACf,QAAQ,GAAG,KAAK,CAAA;oBAChB,WAAW;wBACT,iIAAiI,CAAA;oBACnI,YAAY;wBACV,wFAAwF,CAAA;oBAC1F,UAAU,GAAG,KAAK,CAAA;oBAClB,MAAK;gBACP;oBACE,kEAAkE;oBAClE,OAAM;YACV,CAAC;QACH,CAAC;aAAM,CAAC;YACN,eAAe;YACf,QAAQ,UAAU,EAAE,CAAC;gBACnB,KAAK,YAAY;oBACf,QAAQ,GAAG,QAAQ,CAAA;oBACnB,WAAW;wBACT,4HAA4H,CAAA;oBAC9H,YAAY;wBACV,+HAA+H,CAAA;oBACjI,UAAU,GAAG,MAAM,CAAA;oBACnB,MAAK;gBACP,KAAK,eAAe;oBAClB,QAAQ,GAAG,MAAM,CAAA;oBACjB,WAAW;wBACT,mGAAmG,CAAA;oBACrG,YAAY;wBACV,gEAAgE,CAAA;oBAClE,UAAU,GAAG,KAAK,CAAA;oBAClB,MAAK;gBACP,KAAK,UAAU;oBACb,uDAAuD;oBACvD,SAAS,CAAC,IAAI,CAAC;wBACb,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,MAAM,EAAE,UAAU;qBACnB,CAAC,CAAA;oBACF,OAAM,CAAC,2BAA2B;gBACpC,KAAK,QAAQ,CAAC;gBACd,KAAK,UAAU;oBACb,QAAQ,GAAG,MAAM,CAAA;oBACjB,WAAW,GAAG,iBAAiB,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,uEAAuE,CAAA;oBAClI,YAAY,GAAG,2CAA2C,CAAA;oBAC1D,UAAU,GAAG,KAAK,CAAA;oBAClB,MAAK;gBACP;oBACE,mDAAmD;oBACnD,SAAS,CAAC,IAAI,CAAC;wBACb,UAAU,EAAE,KAAK,GAAG,CAAC;wBACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,MAAM,EAAE,UAAU;qBACnB,CAAC,CAAA;oBACF,OAAM,CAAC,+CAA+C;YAC1D,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,IAAI,UAAU,EAAE,CAAC;YACf,QAAQ,GAAG,MAAM,CAAA;YACjB,UAAU,GAAG,KAAK,CAAA;YAClB,WAAW,IAAI,iBAAiB,CAAA;QAClC,CAAC;QAED,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,cAAc,QAAQ,IAAI,KAAK,GAAG,CAAC,EAAE;YACzC,QAAQ;YACR,UAAU,EAAE,KAAK,GAAG,CAAC;YACrB,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;YACxB,QAAQ;YACR,QAAQ,EAAE,oBAAoB;YAC9B,KAAK,EAAE,kBAAkB;YACzB,WAAW;YACX,YAAY;YACZ,UAAU;YACV,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,4DAA4D;IAC5D,IAAI,SAAS,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAC1B,oEAAoE;QACpE,MAAM,WAAW,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;QAChE,MAAM,QAAQ,GACZ,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,SAAS,CAAC,MAAM,SAAS,CAAC,CAAC,CAAC,EAAE,CAAA;QAE/D,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,yBAAyB,QAAQ,EAAE;YACvC,QAAQ;YACR,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,UAAU;YACnC,WAAW,EAAE,GAAG,SAAS,CAAC,MAAM,6BAA6B;YAC7D,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,oBAAoB;YAC9B,KAAK,EAAE,qBAAqB,SAAS,CAAC,MAAM,aAAa;YACzD,WAAW,EAAE,mGAAmG,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,aAAa,SAAS,CAAC,MAAM,0BAA0B,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,QAAQ,EAAE;YAC7O,YAAY,EACV,iFAAiF;YACnF,UAAU,EAAE,KAAK;YACjB,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;IACJ,CAAC;SAAM,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxD,uCAAuC;QACvC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,cAAc,QAAQ,IAAI,QAAQ,CAAC,UAAU,EAAE;gBACnD,QAAQ;gBACR,UAAU,EAAE,QAAQ,CAAC,UAAU;gBAC/B,WAAW,EAAE,QAAQ,CAAC,WAAW;gBACjC,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,oBAAoB;gBAC9B,KAAK,EAAE,kBAAkB;gBACzB,WAAW,EAAE,iBAAiB,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,wEAAwE,UAAU,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,EAAE;gBAC5K,YAAY,EAAE,2CAA2C;gBACzD,UAAU,EAAE,KAAK;gBACjB,KAAK,EAAE,CAAC;aACT,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/layer2/dangerous-functions/math-random.d.ts ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Math.random() Detection
+ *
+ * Context-aware detection of Math.random() usage with intelligent severity
+ * classification based on usage context, variable names, and function intent.
+ */
+/**
+ * Check if Math.random() is used for cosmetic/UI purposes (not security)
+ * Cosmetic uses: CSS values, animations, UI variations, demo data
+ * Security uses: tokens, IDs, cryptographic operations, session management
+ */
+export declare function isCosmeticMathRandom(lineContent: string, content: string, lineNumber: number): boolean;
+/**
+ * Classify function intent based on function name
+ * Used to determine if Math.random() usage is legitimate
+ */
+export declare function classifyFunctionIntent(functionName: string | null): 'uuid' | 'captcha' | 'demo' | 'security' | 'unknown';
+/**
+ * Analyze toString() pattern in Math.random() usage
+ * Determines intent based on base and truncation length
+ */
+export declare function analyzeToStringPattern(lineContent: string): {
+    hasToString: boolean;
+    base: number | null;
+    isTruncated: boolean;
+    truncationLength: number | null;
+    intent: 'short-ui-id' | 'business-id' | 'full-token' | 'unknown';
+};
+/**
+ * Extract variable name from Math.random() assignment
+ * Examples:
+ *   const token = Math.random() -> "token"
+ *   const businessId = Math.random().toString(36) -> "businessId"
+ *   return Math.random() -> null (no variable)
+ */
+export declare function extractMathRandomVariableName(lineContent: string): string | null;
+/**
+ * Classify variable name security risk based on naming patterns
+ *
+ * High risk: Security-sensitive names (token, secret, key, etc.)
+ * Medium risk: Unclear context
+ * Low risk: Non-security names (id, businessId, orderId, etc.)
+ */
+export declare function classifyVariableNameRisk(varName: string | null): 'high' | 'medium' | 'low';
+/**
+ * Analyze surrounding code context for security signals
+ * Returns context type and description for severity classification
+ */
+export declare function analyzeMathRandomContext(content: string, filePath: string, lineNumber: number): {
+    inSecurityContext: boolean;
+    inTestContext: boolean;
+    inUIContext: boolean;
+    inBusinessLogicContext: boolean;
+    contextDescription: string;
+};
+/**
+ * Check if Math.random() should be skipped entirely
+ * Returns true for seed files, test fixtures, captcha/puzzle, uuid, and pure cosmetic uses
+ */
+export declare function shouldSkipMathRandom(content: string, filePath: string, lineNumber: number): boolean;
+//# sourceMappingURL=math-random.d.ts.map

package/dist/layer2/dangerous-functions/math-random.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"math-random.d.ts","sourceRoot":"","sources":["../../../src/layer2/dangerous-functions/math-random.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CA8FT;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,YAAY,EAAE,MAAM,GAAG,IAAI,GAC1B,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,UAAU,GAAG,SAAS,CA+CtD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG;IAC3D,WAAW,EAAE,OAAO,CAAA;IACpB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;IACnB,WAAW,EAAE,OAAO,CAAA;IACpB,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAA;IAC/B,MAAM,EAAE,aAAa,GAAG,aAAa,GAAG,YAAY,GAAG,SAAS,CAAA;CACjE,CA0EA;AAED;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,WAAW,EAAE,MAAM,GAClB,MAAM,GAAG,IAAI,CAgBf;AAED;;;;;;GAMG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,GAAG,IAAI,GACrB,MAAM,GAAG,QAAQ,GAAG,KAAK,CAmG3B;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB;IACD,iBAAiB,EAAE,OAAO,CAAA;IAC1B,aAAa,EAAE,OAAO,CAAA;IACtB,WAAW,EAAE,OAAO,CAAA;IACpB,sBAAsB,EAAE,OAAO,CAAA;IAC/B,kBAAkB,EAAE,MAAM,CAAA;CAC3B,CA8DA;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAqDT"}