npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/layer2/dangerous-functions/json-parse.ts ADDED Viewed

@@ -0,0 +1,385 @@
+/**
+ * JSON.parse Detection
+ *
+ * Source-aware detection of JSON.parse usage with severity classification
+ * based on the data source and error handling context.
+ */
+import type { Vulnerability, VulnerabilitySeverity } from '../../types'
+import { isComment, isTestOrMockFile } from '../../utils/context-helpers'
+import { isInsideTryCatch, hasTryCatchNearby } from './utils/control-flow'
+import { hasSchemaValidationNearby } from './utils/schema-validation'
+/**
+ * JSON.parse source classification
+ * Determines if the input is user-controlled or internal data
+ */
+export type JSONParseSource =
+  | 'user_input'
+  | 'local_storage'
+  | 'database'
+  | 'config'
+  | 'migration'
+  | 'internal'
+  | 'test_fixture'
+  | 'ui_state'
+  | 'unknown'
+/**
+ * Check if file path indicates a low-risk context for JSON.parse
+ */
+export function isLowRiskJSONParseFile(filePath: string): JSONParseSource | null {
+  // Test/mock files - skip or info only
+  if (isTestOrMockFile(filePath)) {
+    return 'test_fixture'
+  }
+  // Settings/preferences components - internal UI state
+  if (/\/(components|pages)\/(settings|preferences|config)/i.test(filePath)) {
+    return 'ui_state'
+  }
+  // Provider/context files - typically storing state in localStorage
+  if (/Provider\.(ts|tsx|js|jsx)$/i.test(filePath)) {
+    return 'ui_state'
+  }
+  // Modal/Dialog components - typically internal state
+  if (/(Modal|Dialog|Settings|Preferences)\.(ts|tsx|js|jsx)$/i.test(filePath)) {
+    return 'ui_state'
+  }
+  // __mocks__ directory
+  if (/__mocks__/i.test(filePath)) {
+    return 'test_fixture'
+  }
+  // fixtures directory
+  if (/\/(fixtures?|stubs?|mocks?)\//i.test(filePath)) {
+    return 'test_fixture'
+  }
+  // scripts/tools directories (internal tooling)
+  if (/\/(scripts?|tools?|cli)\//i.test(filePath)) {
+    return 'internal'
+  }
+  // Migration files
+  if (/migration/i.test(filePath)) {
+    return 'migration'
+  }
+  // Config files
+  if (/\/(config|settings|constants)\.(ts|js)/i.test(filePath)) {
+    return 'config'
+  }
+  return null
+}
+/**
+ * Check if JSON.parse is parsing a trusted SDK response
+ * These are well-defined responses from known APIs and are safe to parse
+ */
+export function isTrustedSDKResponse(lineContent: string, content: string): boolean {
+  const trustedPatterns = [
+    // OpenAI SDK responses
+    /JSON\.parse\s*\(\s*(?:response|completion|result|message)\.(?:content|text|data)/i,
+    /JSON\.parse\s*\(\s*(?:openai|anthropic|client)\./i,
+    // Fetch response.json() result (already parsed by fetch)
+    /JSON\.parse\s*\(\s*await\s+.*\.json\s*\(\s*\)\s*\)/i,
+    // SDK method results
+    /JSON\.parse\s*\(\s*(?:result|response)\.(?:choices|content|data|body)\[/i,
+    // AI SDK streaming results
+    /JSON\.parse\s*\(\s*(?:chunk|delta|part)\.(?:content|text)/i,
+  ]
+  if (trustedPatterns.some(p => p.test(lineContent))) {
+    return true
+  }
+  // Check surrounding context for SDK usage
+  const sdkContextPatterns = [
+    /openai\..*\.create/i,
+    /anthropic\..*\.create/i,
+    /\.chat\.completions/i,
+    /\.messages\.create/i,
+  ]
+  return sdkContextPatterns.some(p => p.test(content))
+}
+/**
+ * Classify the source of data being passed to JSON.parse
+ */
+export function classifyJSONParseSource(
+  lineContent: string,
+  filePath: string
+): JSONParseSource {
+  // First check file path for low-risk contexts
+  const fileBasedSource = isLowRiskJSONParseFile(filePath)
+  if (fileBasedSource) {
+    return fileBasedSource
+  }
+  // User input - potentially dangerous
+  const userInputPatterns = [
+    /JSON\.parse\s*\(\s*(req|request)\.(body|query|params)/i,
+    /JSON\.parse\s*\(\s*event\.(body|queryStringParameters)/i, // AWS Lambda
+    /JSON\.parse\s*\(\s*ctx\.(request|body|query)/i, // Koa
+    /JSON\.parse\s*\(\s*(input|userInput|rawInput|payload)/i,
+    /JSON\.parse\s*\(\s*body\b/i, // Generic 'body' often means request body
+  ]
+  if (userInputPatterns.some(p => p.test(lineContent))) {
+    return 'user_input'
+  }
+  // localStorage/sessionStorage - client-side storage
+  const storagePatterns = [
+    /JSON\.parse\s*\(\s*localStorage\.getItem/i,
+    /JSON\.parse\s*\(\s*sessionStorage\.getItem/i,
+    /JSON\.parse\s*\(\s*window\.localStorage/i,
+    /JSON\.parse\s*\(\s*storage\.get/i,
+    /JSON\.parse\s*\(\s*saved\b/i, // Common pattern: const saved = localStorage.getItem(...); JSON.parse(saved)
+    /JSON\.parse\s*\(\s*stored\b/i,
+  ]
+  if (storagePatterns.some(p => p.test(lineContent))) {
+    return 'local_storage'
+  }
+  // Database results - internal data
+  const databasePatterns = [
+    /JSON\.parse\s*\(\s*(row|result|record|doc|document)\./i,
+    /JSON\.parse\s*\(\s*\w+\.(data|json|metadata|embedding)\)/i,
+    /JSON\.parse\s*\(\s*\w+\[['"]?\w+['"]?\]\.(data|json|embedding)/i,
+    /JSON\.parse\s*\(\s*item\.\w+\)/i, // ORM iteration: items.map(item => JSON.parse(item.field))
+    /JSON\.parse\s*\(\s*\w+\.content\)/i, // Parsing content field from DB
+  ]
+  if (databasePatterns.some(p => p.test(lineContent))) {
+    return 'database'
+  }
+  // Editor state, internal caches, UI state
+  const internalPatterns = [
+    /JSON\.parse\s*\(\s*(state|cache|stored|saved|cached)/i,
+    /JSON\.parse\s*\(\s*this\.(state|cache|data)/i,
+    /JSON\.parse\s*\(\s*\w+State\)/i,
+    /JSON\.parse\s*\(\s*editorState/i,
+    /JSON\.parse\s*\(\s*parsed\b/i, // JSON.parse(parsed) - likely already validated
+    /JSON\.parse\s*\(\s*settings\b/i, // Settings data
+    /JSON\.parse\s*\(\s*preferences\b/i,
+  ]
+  if (internalPatterns.some(p => p.test(lineContent))) {
+    return 'internal'
+  }
+  // Node content in editor apps (e.g., noda-os nodes have JSON content)
+  if (
+    /JSON\.parse\s*\(\s*(node|note|document|entry)\.(content|body|data)\)/i.test(
+      lineContent
+    )
+  ) {
+    return 'database'
+  }
+  return 'unknown'
+}
+/**
+ * Detect JSON.parse usage with source-aware severity
+ * Much smarter than simple pattern matching - considers try/catch and data source
+ */
+export function detectJSONParseSafe(
+  content: string,
+  filePath: string,
+  isTestFile: boolean,
+  vulnerabilities: Vulnerability[]
+): void {
+  const lines = content.split('\n')
+  const jsonParsePattern = /JSON\.parse\s*\(/gi
+  // Track instances per file to aggregate noisy patterns
+  const instances: {
+    lineNumber: number
+    lineContent: string
+    source: JSONParseSource
+  }[] = []
+  lines.forEach((line, index) => {
+    if (isComment(line)) return
+    jsonParsePattern.lastIndex = 0
+    if (!jsonParsePattern.test(line)) return
+    const jsonSource = classifyJSONParseSource(line, filePath)
+    // Skip migration files entirely - they're internal tooling
+    if (jsonSource === 'migration') return
+    // Skip test fixtures entirely - they're intentionally parsing test data
+    if (jsonSource === 'test_fixture') return
+    // Skip trusted SDK responses - these are well-defined and safe to parse
+    if (isTrustedSDKResponse(line, content)) return
+    // Check if JSON.parse is inside a try-catch block
+    const insideTryCatch =
+      isInsideTryCatch(content, index) || hasTryCatchNearby(content, index)
+    // Check if schema validation is applied after JSON.parse
+    const hasSchemaValidation = hasSchemaValidationNearby(content, index)
+    // If inside try-catch with safe source, suppress entirely - this is perfectly fine
+    if (
+      insideTryCatch &&
+      ['local_storage', 'database', 'config', 'internal', 'ui_state'].includes(
+        jsonSource
+      )
+    ) {
+      return
+    }
+    // If schema validation is present, this is properly handled
+    if (hasSchemaValidation) {
+      return
+    }
+    // UI state (settings, providers, modals) - very low risk, aggregate or skip
+    if (jsonSource === 'ui_state') {
+      // Only track for aggregation, don't report individually
+      instances.push({
+        lineNumber: index + 1,
+        lineContent: line.trim(),
+        source: jsonSource,
+      })
+      return
+    }
+    // Determine severity based on source and error handling
+    let severity: VulnerabilitySeverity
+    let description: string
+    let suggestedFix: string
+    let confidence: 'high' | 'medium' | 'low' = 'medium'
+    if (insideTryCatch) {
+      // Already has error handling
+      switch (jsonSource) {
+        case 'user_input':
+          severity = 'low'
+          description =
+            'JSON.parse on user input is wrapped in try-catch. Consider adding schema validation (zod/yup) to validate the parsed structure.'
+          suggestedFix =
+            'Add schema validation after parsing: const validated = schema.parse(JSON.parse(input))'
+          confidence = 'low'
+          break
+        default:
+          // With try-catch and non-user source, this is fine - don't report
+          return
+      }
+    } else {
+      // No try-catch
+      switch (jsonSource) {
+        case 'user_input':
+          severity = 'medium'
+          description =
+            'JSON.parse on user input without schema validation. Malformed input will crash; malicious input may have unexpected shape.'
+          suggestedFix =
+            'Use a schema validation library (zod, yup, joi): try { const data = schema.parse(JSON.parse(body)) } catch (e) { return 400 }'
+          confidence = 'high'
+          break
+        case 'local_storage':
+          severity = 'info'
+          description =
+            'JSON.parse on localStorage data. Consider adding try-catch for robustness against corrupted data.'
+          suggestedFix =
+            'Wrap in try-catch to handle corrupted localStorage gracefully.'
+          confidence = 'low'
+          break
+        case 'database':
+          // Database content parsing is very common and low-risk
+          instances.push({
+            lineNumber: index + 1,
+            lineContent: line.trim(),
+            source: jsonSource,
+          })
+          return // Will be aggregated below
+        case 'config':
+        case 'internal':
+          severity = 'info'
+          description = `JSON.parse on ${jsonSource.replace('_', ' ')} data without error handling. Low risk but consider defensive coding.`
+          suggestedFix = 'Consider adding try-catch for robustness.'
+          confidence = 'low'
+          break
+        default:
+          // Unknown source - track for potential aggregation
+          instances.push({
+            lineNumber: index + 1,
+            lineContent: line.trim(),
+            source: jsonSource,
+          })
+          return // Will be evaluated below based on aggregation
+      }
+    }
+    // Downgrade test files
+    if (isTestFile) {
+      severity = 'info'
+      confidence = 'low'
+      description += ' (in test file)'
+    }
+    vulnerabilities.push({
+      id: `json-parse-${filePath}-${index + 1}`,
+      filePath,
+      lineNumber: index + 1,
+      lineContent: line.trim(),
+      severity,
+      category: 'dangerous_function',
+      title: 'JSON.parse usage',
+      description,
+      suggestedFix,
+      confidence,
+      layer: 2,
+    })
+  })
+  // Aggregate low-risk JSON.parse instances if there are many
+  if (instances.length >= 3) {
+    // Create single aggregated finding instead of N individual findings
+    const lineNumbers = instances.map(i => i.lineNumber).slice(0, 5)
+    const moreText =
+      instances.length > 5 ? `... (${instances.length} total)` : ''
+    vulnerabilities.push({
+      id: `json-parse-aggregated-${filePath}`,
+      filePath,
+      lineNumber: instances[0].lineNumber,
+      lineContent: `${instances.length} instances across this file`,
+      severity: 'info',
+      category: 'dangerous_function',
+      title: `JSON.parse usage (${instances.length} instances)`,
+      description: `JSON.parse detected. Consider adding error handling and schema validation if parsing user input.${isTestFile ? ' (in test file)' : ''}\n\nFound ${instances.length} occurrences at lines: ${lineNumbers.join(', ')}${moreText}`,
+      suggestedFix:
+        'Add try-catch for error handling. If parsing user input, add schema validation.',
+      confidence: 'low',
+      layer: 2,
+    })
+  } else if (instances.length > 0 && instances.length < 3) {
+    // Report individually for small counts
+    for (const instance of instances) {
+      vulnerabilities.push({
+        id: `json-parse-${filePath}-${instance.lineNumber}`,
+        filePath,
+        lineNumber: instance.lineNumber,
+        lineContent: instance.lineContent,
+        severity: 'info',
+        category: 'dangerous_function',
+        title: 'JSON.parse usage',
+        description: `JSON.parse on ${instance.source.replace('_', ' ')} data without error handling. Low risk but consider defensive coding.${isTestFile ? ' (in test file)' : ''}`,
+        suggestedFix: 'Consider adding try-catch for robustness.',
+        confidence: 'low',
+        layer: 2,
+      })
+    }
+  }
+}