@oculum/scanner 1.0.9 → 1.0.11

package/src/layer2/dangerous-functions/index.ts

@@ -0,0 +1,949 @@
+/**
+ * Layer 2: Dangerous Function Call Analysis
+ *
+ * Detects usage of dangerous functions that can lead to security vulnerabilities.
+ * This module orchestrates detection across multiple specialized modules.
+ */
+
+import type { Vulnerability, VulnerabilitySeverity } from '../../types'
+import {
+  isComment,
+  isTestOrMockFile,
+  isScannerOrFixtureFile,
+  isSeedOrDataGenFile,
+} from '../../utils/context-helpers'
+
+// Pattern definitions
+import {
+  DANGEROUS_FUNCTIONS,
+  matchesLanguage,
+  type DangerousFunctionPattern,
+} from './patterns'
+
+// Child process detection
+import { isChildProcessExec, isChildProcessSpawn } from './child-process'
+
+// DOM/XSS detection
+import {
+  isStyleElementInnerHTML,
+  isStaticHTMLContent,
+  hasDOMPurifySanitization,
+  isLLMPromptContext,
+  isStaticBootstrapScript,
+} from './dom-xss'
+
+// JSON.parse detection
+import { detectJSONParseSafe } from './json-parse'
+
+// Math.random detection
+import {
+  isCosmeticMathRandom,
+  classifyFunctionIntent,
+  analyzeToStringPattern,
+  extractMathRandomVariableName,
+  classifyVariableNameRisk,
+  analyzeMathRandomContext,
+  shouldSkipMathRandom,
+} from './math-random'
+
+// Request validation detection
+import { detectRequestJsonValidation } from './request-validation'
+
+// Utilities
+import { extractFunctionContext } from './utils/control-flow'
+import { hasSQLWhitelistValidation } from './utils/schema-validation'
+import { hasOnlyStaticInputs, hasPathTraversalProtection } from './utils/helpers'
+
+// Re-export types and patterns for external use
+export { DANGEROUS_FUNCTIONS, type DangerousFunctionPattern } from './patterns'
+
+/**
+ * Main detection function for dangerous function calls
+ */
+export function detectDangerousFunctions(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  // Skip scanner/fixture files to avoid self-detection
+  if (isScannerOrFixtureFile(filePath)) {
+    return vulnerabilities
+  }
+
+  const lines = content.split('\n')
+  const isTestFile = isTestOrMockFile(filePath)
+
+  lines.forEach((line, index) => {
+    // Skip comment lines
+    if (isComment(line)) return
+
+    for (const funcPattern of DANGEROUS_FUNCTIONS) {
+      // Check language filter
+      if (!matchesLanguage(filePath, funcPattern.languages)) continue
+
+      const regex = new RegExp(
+        funcPattern.pattern.source,
+        funcPattern.pattern.flags
+      )
+
+      if (regex.test(line)) {
+        // Special handling for innerHTML patterns
+        if (
+          funcPattern.name === 'innerHTML assignment' ||
+          funcPattern.name === 'dangerouslySetInnerHTML'
+        ) {
+          handleInnerHTMLPattern(
+            funcPattern,
+            line,
+            content,
+            index,
+            filePath,
+            isTestFile,
+            vulnerabilities
+          )
+          break
+        }
+
+        // Note: JSON.parse is now handled by standalone detectJSONParseSafe() function
+        // which provides better source-aware severity classification
+
+        // Special handling for eval and Function constructor
+        if (
+          funcPattern.name === 'eval() usage' ||
+          funcPattern.name === 'Function constructor'
+        ) {
+          if (
+            handleEvalPattern(
+              funcPattern,
+              line,
+              content,
+              index,
+              filePath,
+              isTestFile,
+              vulnerabilities
+            )
+          ) {
+            break
+          }
+          continue
+        }
+
+        // Special handling for child_process exec - verify it's not RegExp.exec
+        if (funcPattern.name === 'child_process exec') {
+          if (
+            handleChildProcessPattern(
+              funcPattern,
+              line,
+              content,
+              index,
+              filePath,
+              isTestFile,
+              vulnerabilities
+            )
+          ) {
+            break
+          }
+          continue
+        }
+
+        // Special handling for SQL patterns - check for whitelist validation
+        if (
+          funcPattern.name === 'Raw SQL query construction' ||
+          funcPattern.name === 'SQL template literal'
+        ) {
+          handleSQLPattern(
+            funcPattern,
+            line,
+            content,
+            index,
+            filePath,
+            isTestFile,
+            vulnerabilities
+          )
+          break
+        }
+
+        // Special handling for dynamic file paths - check for path traversal protection
+        if (
+          funcPattern.name === 'Dynamic file path' ||
+          funcPattern.name === 'Path traversal risk'
+        ) {
+          handleFilePathPattern(
+            funcPattern,
+            line,
+            content,
+            index,
+            filePath,
+            isTestFile,
+            vulnerabilities
+          )
+          break
+        }
+
+        // Special handling for Math.random
+        if (funcPattern.name === 'Math.random for security') {
+          handleMathRandomPattern(
+            funcPattern,
+            line,
+            content,
+            index,
+            filePath,
+            isTestFile,
+            vulnerabilities
+          )
+          break
+        }
+
+        // Special handling for Python subprocess/os.system
+        if (funcPattern.name === 'os.system/subprocess (Python)') {
+          handlePythonSubprocessPattern(
+            funcPattern,
+            line,
+            content,
+            index,
+            filePath,
+            isTestFile,
+            vulnerabilities
+          )
+          break
+        }
+
+        // Standard handling for all other patterns
+        handleStandardPattern(
+          funcPattern,
+          line,
+          index,
+          filePath,
+          isTestFile,
+          vulnerabilities
+        )
+        break // Only report once per line
+      }
+    }
+  })
+
+  // Additional standalone checks (not in DANGEROUS_FUNCTIONS array)
+
+  // JSON.parse source-aware detection
+  detectJSONParseSafe(content, filePath, isTestFile, vulnerabilities)
+
+  // request.json() / req.json() schema validation suggestion
+  detectRequestJsonValidation(content, filePath, isTestFile, vulnerabilities)
+
+  return vulnerabilities
+}
+
+/**
+ * Handle innerHTML/dangerouslySetInnerHTML patterns
+ */
+function handleInnerHTMLPattern(
+  funcPattern: DangerousFunctionPattern,
+  line: string,
+  content: string,
+  index: number,
+  filePath: string,
+  isTestFile: boolean,
+  vulnerabilities: Vulnerability[]
+): void {
+  // Check if this is a style element (CSS injection is not XSS)
+  if (isStyleElementInnerHTML(line, content, index)) {
+    // Style elements with CSS are safe - don't report anything
+    // CSS cannot execute JavaScript, so there's no XSS risk
+    return
+  }
+
+  // Check if this uses static content only - skip entirely (safe)
+  if (isStaticHTMLContent(line, content, index)) {
+    return // Static HTML is safe - no finding needed
+  }
+
+  // Check if DOMPurify or similar sanitization is used - skip entirely (safe)
+  if (hasDOMPurifySanitization(line, content, index)) {
+    return // Sanitized HTML is safe - no finding needed
+  }
+
+  // Check if this is a static bootstrap script (e.g., theme/font loader) - skip entirely (safe)
+  if (isStaticBootstrapScript(line, content, index)) {
+    return // Static bootstrap scripts are safe - no finding needed
+  }
+
+  // Check if this is in LLM prompt context (not XSS - it's prompt injection)
+  if (isLLMPromptContext(line, content, filePath)) {
+    vulnerabilities.push({
+      id: `dangerous-func-${filePath}-${index + 1}-prompt-injection`,
+      filePath,
+      lineNumber: index + 1,
+      lineContent: line.trim(),
+      severity: 'info',
+      category: 'ai_pattern',
+      title: 'Potential prompt injection risk',
+      description:
+        'User content is being used in an LLM prompt context. This is NOT XSS (the content goes to an AI, not a DOM). However, untrusted content in prompts may lead to prompt injection attacks.',
+      suggestedFix:
+        'Consider input validation, content filtering, or structured prompts to limit prompt injection risk.',
+      confidence: 'low',
+      layer: 2,
+    })
+    return
+  }
+
+  // Dynamic content - full severity, needs AI validation
+  let severity = funcPattern.severity
+  if (isTestFile) {
+    severity = 'low'
+  }
+
+  vulnerabilities.push({
+    id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+    filePath,
+    lineNumber: index + 1,
+    lineContent: line.trim(),
+    severity,
+    category: 'dangerous_function',
+    title: funcPattern.name,
+    description:
+      funcPattern.description +
+      ' This appears to use dynamic content which increases XSS risk.' +
+      (isTestFile ? ' (in test file)' : ''),
+    suggestedFix: funcPattern.suggestedFix,
+    confidence: isTestFile ? 'low' : 'high',
+    layer: 2,
+    requiresAIValidation: true, // Dynamic HTML needs validation
+  })
+}
+
+/**
+ * Handle eval and Function constructor patterns
+ * Returns true if a finding was added, false otherwise
+ */
+function handleEvalPattern(
+  funcPattern: DangerousFunctionPattern,
+  line: string,
+  content: string,
+  index: number,
+  filePath: string,
+  isTestFile: boolean,
+  vulnerabilities: Vulnerability[]
+): boolean {
+  // Check if "eval" or "Function" appears inside a string literal
+  // e.g., const docs = "Don't use eval() in production"
+  // This is NOT an actual eval call, just documentation/comments
+  const evalInsideStringPattern = /(['"`])(?:[^\\]|\\.)*?\beval\s*\(.*?\1/
+  const functionInsideStringPattern = /(['"`])(?:[^\\]|\\.)*?\bFunction\s*\(.*?\1/
+  if (evalInsideStringPattern.test(line) || functionInsideStringPattern.test(line)) {
+    return true // Skip - this is just a string mentioning eval, not actual eval()
+  }
+
+  // Suppress entirely in test files - test files legitimately test eval behavior
+  if (isTestFile) {
+    return true // Skip reporting entirely
+  }
+
+  // Check if eval is inside a test assertion (expect(), test(), it(), describe())
+  const testAssertionPattern = /\b(expect|test|it|describe)\s*\(/
+  if (testAssertionPattern.test(line)) {
+    return true // Skip reporting - this is testing eval behavior
+  }
+
+  // Check if inputs are static literals (low risk) - skip entirely
+  if (hasOnlyStaticInputs(line, content, index)) {
+    return true // Static eval is safe enough - no finding needed
+  }
+
+  vulnerabilities.push({
+    id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+    filePath,
+    lineNumber: index + 1,
+    lineContent: line.trim(),
+    severity: funcPattern.severity,
+    category: 'dangerous_function',
+    title: funcPattern.name,
+    description: funcPattern.description,
+    suggestedFix: funcPattern.suggestedFix,
+    confidence: 'high',
+    layer: 2,
+    requiresAIValidation: true, // Code execution patterns need validation
+  })
+  return true
+}
+
+/**
+ * Handle child_process exec patterns
+ * Returns true if a finding was added, false otherwise
+ */
+function handleChildProcessPattern(
+  funcPattern: DangerousFunctionPattern,
+  line: string,
+  content: string,
+  index: number,
+  filePath: string,
+  isTestFile: boolean,
+  vulnerabilities: Vulnerability[]
+): boolean {
+  // First check if this is actually from child_process (not RegExp.exec)
+  const isExecMatch = /\bexec\s*\(/.test(line)
+  const isOtherMatch = /\b(execSync|spawn|spawnSync|execFile)\s*\(/.test(line)
+
+  if (isExecMatch && !isOtherMatch) {
+    // This matched 'exec(' - verify it's from child_process
+    if (!isChildProcessExec(content, line)) {
+      // This is RegExp.exec or similar - skip
+      return false
+    }
+  } else if (isOtherMatch) {
+    // This matched spawn/execSync/etc - verify child_process import
+    if (!isChildProcessSpawn(content, line)) {
+      // No child_process import - skip
+      return false
+    }
+  }
+
+  // Check if arguments are validated via allowlist
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, index - 15)
+  const contextEnd = Math.min(lines.length, index + 5)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+
+  // Detect allowlist validation patterns before exec/spawn
+  const hasArgAllowlist =
+    /allowedArgs\.includes\s*\(/i.test(context) ||
+    /if\s*\(\s*!?allowedArgs\.includes/i.test(context) ||
+    /if\s*\(\s*!?\w+Args\.includes/i.test(context) ||
+    /validArgs\.includes/i.test(context) ||
+    // ALLOWED_COMMANDS pattern (common naming convention)
+    /ALLOWED_\w+\.includes\s*\(/i.test(context) ||
+    /if\s*\(\s*!?ALLOWED_\w+\.includes/i.test(context) ||
+    // allowedCommands, validCommands, safeCommands
+    /allowed(?:Commands?|Cmds?)\.includes\s*\(/i.test(context) ||
+    /valid(?:Commands?|Cmds?)\.includes\s*\(/i.test(context) ||
+    /safe(?:Commands?|Cmds?)\.includes\s*\(/i.test(context) ||
+    // Generic whitelist/allowlist check
+    /(?:whitelist|allowlist)\.includes\s*\(/i.test(context)
+
+  // execFile with hardcoded command is safe (safer than exec)
+  const isExecFileWithHardcodedCmd = /execFile\s*\(\s*['"][^'"]+['"]/i.test(line)
+
+  if (hasArgAllowlist || isExecFileWithHardcodedCmd) {
+    return true // Allowlisted or execFile with hardcoded command - safe
+  }
+
+  if (hasOnlyStaticInputs(line, content, index)) {
+    return true // Static command is safe - no finding needed
+  }
+
+  // Dynamic command - report with standard severity
+  let severity = funcPattern.severity
+  let confidence: 'high' | 'medium' | 'low' = 'high'
+
+  if (isTestFile) {
+    if (severity === 'critical') {
+      severity = 'medium'
+    } else if (severity === 'high') {
+      severity = 'low'
+    } else {
+      severity = 'info'
+    }
+    confidence = 'low'
+  }
+
+  vulnerabilities.push({
+    id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+    filePath,
+    lineNumber: index + 1,
+    lineContent: line.trim(),
+    severity,
+    category: 'dangerous_function',
+    title: funcPattern.name,
+    description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
+    suggestedFix: funcPattern.suggestedFix,
+    confidence,
+    layer: 2,
+  })
+  return true
+}
+
+/**
+ * Handle SQL injection patterns
+ */
+function handleSQLPattern(
+  funcPattern: DangerousFunctionPattern,
+  line: string,
+  content: string,
+  index: number,
+  filePath: string,
+  isTestFile: boolean,
+  vulnerabilities: Vulnerability[]
+): void {
+  // Check for whitelist validation - skip entirely (safe)
+  if (hasSQLWhitelistValidation(content, index)) {
+    return // Whitelist validated - safe, no finding needed
+  }
+
+  // Check for ORM methods (not raw SQL) - skip entirely (safe)
+  // Prisma: prisma.user.findMany({ where: {...} })
+  // Sequelize: Model.findAll({ where: {...} })
+  // TypeORM: repository.find({ where: {...} })
+  const ormMethodPattern = /\.(findMany|findUnique|findFirst|findAll|find|create|update|delete|upsert)\s*\(\s*\{/i
+  if (ormMethodPattern.test(line)) {
+    return // ORM method - safe, no finding needed
+  }
+
+  // Check for parameterized queries - skip entirely (safe)
+  // e.g., db.query('SELECT * FROM users WHERE id = $1', [userId])
+  const parameterizedQueryPattern = /\.\s*(query|execute)\s*\(\s*['"`][^${}]+['"`]\s*,\s*\[/
+  if (parameterizedQueryPattern.test(line)) {
+    return // Parameterized query - safe, no finding needed
+  }
+
+  // Check for Prisma tagged template literal - these ARE parameterized (safe)
+  // Prisma's $queryRaw`...${var}...` treats ${} as parameterized values, not string interpolation
+  // e.g., prisma.$queryRaw`SELECT * FROM users WHERE id = ${userId}`
+  const prismaTaggedTemplatePattern = /\$queryRaw\s*`[^`]*\$\{/i
+  if (prismaTaggedTemplatePattern.test(line)) {
+    return // Prisma tagged template - parameterized and safe, no finding needed
+  }
+
+  // Check for schema-validated input (zod .enum() for table/column names)
+  // e.g., z.enum(['users', 'posts']).parse(input) followed by SQL
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, index - 20)
+  const contextEnd = index
+  const previousContext = lines.slice(contextStart, contextEnd).join('\n')
+
+  // Detect zod enum validation for SQL identifiers
+  const hasSchemaValidation =
+    /z\s*\.\s*enum\s*\(\s*\[['"][^'"]+['"]/i.test(previousContext) ||
+    /\.parse\s*\(\s*JSON\.parse/.test(previousContext) ||
+    // Allow validated table/column names from parsed schema
+    /schema\.parse/.test(previousContext) ||
+    /const\s+parsed\s*=\s*schema/.test(previousContext)
+
+  if (hasSchemaValidation) {
+    return // Schema-validated SQL identifiers - safe, no finding needed
+  }
+
+  // No whitelist - report with standard severity
+  let severity = funcPattern.severity
+  let confidence: 'high' | 'medium' | 'low' = 'high'
+
+  if (isTestFile) {
+    if (severity === 'critical') {
+      severity = 'medium'
+    } else if (severity === 'high') {
+      severity = 'low'
+    } else {
+      severity = 'info'
+    }
+    confidence = 'low'
+  }
+
+  vulnerabilities.push({
+    id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+    filePath,
+    lineNumber: index + 1,
+    lineContent: line.trim(),
+    severity,
+    category: 'dangerous_function',
+    title: funcPattern.name,
+    description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
+    suggestedFix: funcPattern.suggestedFix,
+    confidence,
+    layer: 2,
+  })
+}
+
+/**
+ * Handle dynamic file path patterns
+ */
+function handleFilePathPattern(
+  funcPattern: DangerousFunctionPattern,
+  line: string,
+  content: string,
+  index: number,
+  filePath: string,
+  isTestFile: boolean,
+  vulnerabilities: Vulnerability[]
+): void {
+  // Check file context for CLI/tooling (lower risk)
+  const isCLITool =
+    /\/(cli|scripts?|tools?|bin)\//i.test(filePath) ||
+    /cli\.(ts|js)$/i.test(filePath)
+
+  // Check for GitHub Action context (workflow-controlled paths)
+  const isGitHubAction =
+    /\/(github-action|actions?)\//i.test(filePath) ||
+    /action\.(ts|js)$/i.test(filePath)
+
+  // Check for utility/helper file context (called by trusted code)
+  const isUtilityFile =
+    /\/(utils?|helpers?|lib|common|shared)\//i.test(filePath) ||
+    /(util(s)?|helper(s)?|checksum|hash)\.(ts|js)$/i.test(filePath)
+
+  // Get surrounding context for protection check
+  const lines = content.split('\n')
+  const contextStart = Math.max(0, index - 10)
+  const contextEnd = Math.min(lines.length, index + 10)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+
+  // Check if path comes from directory iteration (fs.readdir, fs.readdirSync)
+  // These paths are filesystem-controlled, not user input
+  const hasDirectoryIteration =
+    /\b(readdir|readdirSync|opendir|opendirSync)\s*\(/.test(content) &&
+    (/for\s*\(\s*(const|let|var)\s+\w+\s+of/.test(context) ||
+     /\.forEach\s*\(/.test(context) ||
+     /entry\.(name|isFile|isDirectory)/.test(context) ||
+     /dirent\.(name|isFile|isDirectory)/.test(context))
+
+  if (hasPathTraversalProtection(context, line)) {
+    vulnerabilities.push({
+      id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+      filePath,
+      lineNumber: index + 1,
+      lineContent: line.trim(),
+      severity: 'info',
+      category: 'dangerous_function',
+      title: funcPattern.name + ' (protected)',
+      description:
+        'Dynamic file path with path traversal protection detected. Verify the protection is complete and covers all attack vectors.',
+      suggestedFix:
+        'Ensure path normalization and base directory checks are applied consistently.',
+      confidence: 'low',
+      layer: 2,
+    })
+    return
+  }
+
+  // Directory iteration paths are filesystem-controlled (not user input)
+  if (hasDirectoryIteration) {
+    // Skip entirely - paths from fs.readdir are not user-controlled
+    return
+  }
+
+  // GitHub Action paths are workflow-controlled (not arbitrary user input)
+  if (isGitHubAction) {
+    vulnerabilities.push({
+      id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+      filePath,
+      lineNumber: index + 1,
+      lineContent: line.trim(),
+      severity: 'info',
+      category: 'dangerous_function',
+      title: funcPattern.name + ' (GitHub Action)',
+      description:
+        'Dynamic file path in GitHub Action. Paths are typically controlled by workflow configuration, not arbitrary user input.',
+      suggestedFix:
+        'Verify paths come from trusted action inputs or environment variables.',
+      confidence: 'low',
+      layer: 2,
+    })
+    return
+  }
+
+  // CLI tools with dynamic paths are lower risk (trusted operator)
+  if (isCLITool) {
+    vulnerabilities.push({
+      id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+      filePath,
+      lineNumber: index + 1,
+      lineContent: line.trim(),
+      severity: 'info',
+      category: 'dangerous_function',
+      title: funcPattern.name + ' (CLI tool)',
+      description:
+        'Dynamic file path in CLI tool. CLI tools typically have trusted operators, but consider adding path validation if user input is involved.',
+      suggestedFix:
+        'Add path validation if accepting paths from untrusted sources.',
+      confidence: 'low',
+      layer: 2,
+    })
+    return
+  }
+
+  // Utility/helper files with function parameters are lower risk (called by trusted code)
+  // Check if path variable appears to be a function parameter, not from request
+  const hasRequestData = /req\.(params|query|body)|request\.(params|query|body)/i.test(context)
+  if (isUtilityFile && !hasRequestData) {
+    // Skip entirely - utility functions receive paths from trusted callers
+    return
+  }
+
+  // Standard handling for unprotected paths
+  let severity = funcPattern.severity
+  let confidence: 'high' | 'medium' | 'low' = 'high'
+
+  if (isTestFile) {
+    if (severity === 'critical') {
+      severity = 'medium'
+    } else if (severity === 'high') {
+      severity = 'low'
+    } else {
+      severity = 'info'
+    }
+    confidence = 'low'
+  }
+
+  vulnerabilities.push({
+    id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+    filePath,
+    lineNumber: index + 1,
+    lineContent: line.trim(),
+    severity,
+    category: 'dangerous_function',
+    title: funcPattern.name,
+    description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
+    suggestedFix: funcPattern.suggestedFix,
+    confidence,
+    layer: 2,
+  })
+}
+
+/**
+ * Handle Math.random patterns with context-aware severity
+ */
+function handleMathRandomPattern(
+  funcPattern: DangerousFunctionPattern,
+  line: string,
+  content: string,
+  index: number,
+  filePath: string,
+  isTestFile: boolean,
+  vulnerabilities: Vulnerability[]
+): void {
+  // Skip entirely for certain contexts
+  if (shouldSkipMathRandom(content, filePath, index)) {
+    return
+  }
+
+  // Analyze context
+  const functionName = extractFunctionContext(content, index)
+  const functionIntent = classifyFunctionIntent(functionName)
+  const toStringPattern = analyzeToStringPattern(line)
+  const variableName = extractMathRandomVariableName(line)
+  const variableRisk = classifyVariableNameRisk(variableName)
+  const context = analyzeMathRandomContext(content, filePath, index)
+
+  // Determine severity based on all factors
+  let severity: VulnerabilitySeverity
+  let confidence: 'high' | 'medium' | 'low'
+  let description: string
+  let suggestedFix: string
+  let explanation = ''
+
+  // Variable name indicates security risk - check this FIRST before toString patterns
+  // This ensures 'secret', 'token', 'key' etc. are always flagged as high
+  if (variableRisk === 'high') {
+    severity = 'high'
+    confidence = 'high'
+    // Update context description to indicate security context
+    context.contextDescription = 'security-sensitive variable'
+    description = `Math.random() assigned to security-sensitive variable '${variableName}'. Math.random() is NOT cryptographically secure.`
+    suggestedFix =
+      'Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive values.'
+  }
+  // Security-sensitive contexts get high severity
+  else if (context.inSecurityContext || functionIntent === 'security') {
+    severity = 'high'
+    confidence = 'high'
+    description =
+      'Math.random() is being used in a security-sensitive context. This is NOT cryptographically secure and should be replaced.'
+    suggestedFix =
+      'Use crypto.randomBytes() for Node.js or crypto.getRandomValues() for browsers.'
+  }
+  // Test contexts get info severity
+  else if (context.inTestContext) {
+    severity = 'info'
+    confidence = 'low'
+    description =
+      'Math.random() in test context. Acceptable for test data generation.'
+    suggestedFix = 'No change needed for test data.'
+  }
+  // UUID/CAPTCHA generation - legitimate use
+  else if (functionIntent === 'uuid' || functionIntent === 'captcha') {
+    severity = 'info'
+    confidence = 'low'
+    description = `Math.random() used for ${functionIntent === 'uuid' ? 'ID generation' : 'CAPTCHA/puzzle'} (not security-sensitive).`
+    suggestedFix =
+      'For truly unique IDs, consider crypto.randomUUID(). For security tokens, use crypto.randomBytes().'
+  }
+  // Demo/seed data - legitimate use
+  else if (functionIntent === 'demo') {
+    severity = 'info'
+    confidence = 'low'
+    description =
+      'Math.random() for demo/seed data generation. Acceptable for non-production data.'
+    suggestedFix = 'No change needed for demo/seed data.'
+  }
+  // Short UI IDs (.toString(36).substring(2,9)) - info
+  else if (toStringPattern.intent === 'short-ui-id') {
+    severity = 'info'
+    confidence = 'low'
+    explanation = ` (${toStringPattern.truncationLength || '?'}-char string)`
+    // Override context description for UI IDs
+    context.contextDescription = 'UI identifier generation'
+    description = `Math.random() generating short UI identifier${explanation}. Acceptable for React keys, temp IDs.`
+    suggestedFix =
+      'For security tokens, use crypto.randomBytes(). For unique IDs, crypto.randomUUID().'
+  }
+  // Business IDs (.toString(36) with medium truncation) - low
+  else if (toStringPattern.intent === 'business-id') {
+    severity = 'low'
+    confidence = 'low'
+    explanation = variableName ? ` (variable: ${variableName})` : ''
+    description = `Math.random() generating business identifier${explanation}. Verify this is not used for security purposes.`
+    suggestedFix =
+      'For business IDs, crypto.randomUUID() is preferred. For security tokens, use crypto.randomBytes().'
+  }
+  // Full token (.toString(36) without truncation) - severity based on variable name
+  else if (toStringPattern.intent === 'full-token') {
+    // Note: high-risk variable names are already handled above
+    if (variableRisk === 'low') {
+      severity = 'low'
+      confidence = 'low'
+    } else {
+      severity = 'medium'
+      confidence = 'medium'
+    }
+    explanation = variableName ? ` (variable: ${variableName})` : ''
+    description = `Math.random() generating full-length random string${explanation}. This pattern is often used for security tokens.`
+    suggestedFix =
+      'Use crypto.randomBytes() for security tokens. Use crypto.randomUUID() for unique IDs.'
+  }
+  // Business logic context - low
+  else if (context.inBusinessLogicContext) {
+    severity = 'low'
+    confidence = 'low'
+    description =
+      'Math.random() in business logic context (backoff, sampling, experiments). Verify this is not for security.'
+    suggestedFix =
+      'If used for security, replace with crypto.randomBytes(). Otherwise, usage is acceptable.'
+  }
+  // Unknown context - medium
+  else {
+    severity = 'medium'
+    confidence = 'medium'
+    description =
+      'Math.random() is being used. Verify this is not for security-critical purposes like tokens, session IDs, or cryptographic operations.'
+    suggestedFix =
+      'If used for security, replace with crypto.randomBytes(). For unique IDs, use crypto.randomUUID()'
+  }
+
+  // Update title with context
+  const title = `Math.random() in ${context.contextDescription}${explanation}`
+
+  vulnerabilities.push({
+    id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+    filePath,
+    lineNumber: index + 1,
+    lineContent: line.trim(),
+    severity,
+    category: 'dangerous_function',
+    title,
+    description,
+    suggestedFix,
+    confidence,
+    layer: 2,
+  })
+}
+
+/**
+ * Handle Python subprocess/os.system patterns
+ * Safe pattern: subprocess.run(['static', 'args']) without shell=True
+ * Unsafe pattern: subprocess.run(command, shell=True) or os.system(command)
+ */
+function handlePythonSubprocessPattern(
+  funcPattern: DangerousFunctionPattern,
+  line: string,
+  content: string,
+  index: number,
+  filePath: string,
+  isTestFile: boolean,
+  vulnerabilities: Vulnerability[]
+): void {
+  // os.system is always dangerous - no safe usage
+  if (/os\.system\s*\(/i.test(line)) {
+    handleStandardPattern(funcPattern, line, index, filePath, isTestFile, vulnerabilities)
+    return
+  }
+
+  // Check for subprocess with list args and no shell=True (safe)
+  // Pattern: subprocess.run(['git', 'status', '--porcelain'], ...)
+  // This is safe because args are not parsed by shell
+  const hasListArgs = /subprocess\.(run|call|check_output|Popen)\s*\(\s*\[/i.test(line)
+
+  // Check for shell=True (dangerous)
+  // Look at next line too in case it's multi-line
+  const lines = content.split('\n')
+  const nextLine = lines[index + 1] || ''
+  const combinedLines = line + ' ' + nextLine
+  const hasShellTrue = /shell\s*=\s*True/i.test(combinedLines)
+
+  // Safe: list args without shell=True
+  if (hasListArgs && !hasShellTrue) {
+    // Check if the command is completely static (all string literals in the list)
+    const staticListPattern = /subprocess\.(run|call|check_output|Popen)\s*\(\s*\[\s*(['"][^'"]*['"],?\s*)+\]/i
+    if (staticListPattern.test(line)) {
+      // Completely static command list - safe, skip entirely
+      return
+    }
+    // List args but might have variable args - lower severity
+    vulnerabilities.push({
+      id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+      filePath,
+      lineNumber: index + 1,
+      lineContent: line.trim(),
+      severity: 'low',
+      category: 'dangerous_function',
+      title: funcPattern.name + ' (list args)',
+      description:
+        'subprocess with list arguments (safer than shell=True). Verify command arguments are validated.',
+      suggestedFix: 'Ensure all arguments are validated and sanitized.',
+      confidence: 'low',
+      layer: 2,
+    })
+    return
+  }
+
+  // Standard handling for shell=True or non-list args
+  handleStandardPattern(funcPattern, line, index, filePath, isTestFile, vulnerabilities)
+}
+
+/**
+ * Handle standard patterns without special logic
+ */
+function handleStandardPattern(
+  funcPattern: DangerousFunctionPattern,
+  line: string,
+  index: number,
+  filePath: string,
+  isTestFile: boolean,
+  vulnerabilities: Vulnerability[]
+): void {
+  let severity = funcPattern.severity
+  let confidence: 'high' | 'medium' | 'low' = 'high'
+
+  if (isTestFile) {
+    if (severity === 'critical') {
+      severity = 'medium'
+    } else if (severity === 'high') {
+      severity = 'low'
+    } else {
+      severity = 'info'
+    }
+    confidence = 'low'
+  }
+
+  vulnerabilities.push({
+    id: `dangerous-func-${filePath}-${index + 1}-${funcPattern.name}`,
+    filePath,
+    lineNumber: index + 1,
+    lineContent: line.trim(),
+    severity,
+    category: 'dangerous_function',
+    title: funcPattern.name,
+    description: funcPattern.description + (isTestFile ? ' (in test file)' : ''),
+    suggestedFix: funcPattern.suggestedFix,
+    confidence,
+    layer: 2,
+  })
+}