npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/layer2/dangerous-functions/math-random.ts ADDED Viewed

@@ -0,0 +1,537 @@
+/**
+ * Math.random() Detection
+ *
+ * Context-aware detection of Math.random() usage with intelligent severity
+ * classification based on usage context, variable names, and function intent.
+ */
+import {
+  isTestOrMockFile,
+  isSeedOrDataGenFile,
+  isEducationalVulnerabilityFile,
+} from '../../utils/context-helpers'
+import { extractFunctionContext } from './utils/control-flow'
+/**
+ * Check if Math.random() is used for cosmetic/UI purposes (not security)
+ * Cosmetic uses: CSS values, animations, UI variations, demo data
+ * Security uses: tokens, IDs, cryptographic operations, session management
+ */
+export function isCosmeticMathRandom(
+  lineContent: string,
+  content: string,
+  lineNumber: number
+): boolean {
+  const lines = content.split('\n')
+  // Check the line itself for cosmetic indicators
+  const cosmeticLinePatterns = [
+    // CSS/style values
+    /['"`]\s*\$\{.*Math\.random.*\}\s*%['"`]/, // `${Math.random() * 40 + 50}%`
+    /Math\.random.*\s*\+\s*['"`]%['"`]/, // Math.random() * 40 + '%'
+    /Math\.random.*\)\s*\*\s*\d+\s*\+\s*\d+\s*\}\s*%/, // }) * 40 + 50}%
+    /return\s+`.*Math\.random.*%`/, // return `${...}%`
+    /width:\s*['"`].*Math\.random/i, // width: `${Math.random()...}%`
+    /height:\s*['"`].*Math\.random/i, // height: `${Math.random()...}%`
+    /opacity:\s*['"`]?.*Math\.random/i, // opacity: Math.random()
+    /transform:\s*['"`]?.*Math\.random/i, // transform: translate(...)
+    /rotate\(.*Math\.random/i, // rotate(Math.random() * 360)
+    /translate\(.*Math\.random/i, // translate(Math.random() * 100)
+    /scale\(.*Math\.random/i, // scale(Math.random() * 2)
+    // Color/animation values
+    /rgba?\(.*Math\.random/i, // rgb(Math.random() * 255, ...)
+    /hsl\(.*Math\.random/i, // hsl(Math.random() * 360, ...)
+    /Math\.random.*\*\s*360/, // Math.random() * 360 (degrees/hue)
+    /Math\.random.*\*\s*255/, // Math.random() * 255 (RGB values)
+    // Array/list randomization for UI
+    /Math\.floor\(Math\.random.*\.length\)/, // Math.floor(Math.random() * array.length)
+    /\[Math\.floor\(Math\.random/, // array[Math.floor(Math.random()...)]
+    // Demo/placeholder data
+    /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bpx\b/i, // Math.random() * 100 + 50 + 'px'
+    /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bms\b/i, // Math.random() * 1000 + 500 + 'ms'
+    /Math\.random.*\*\s*\d+\s*\+\s*\d+.*\bs\b/i, // Math.random() * 5 + 2 + 's'
+    // NOTE: toString patterns removed - now handled by analyzeToStringPattern()
+    // which provides more granular severity classification (info/low/medium/high)
+    // based on truncation length and context
+  ]
+  if (cosmeticLinePatterns.some(p => p.test(lineContent))) {
+    return true
+  }
+  // Check surrounding context (5 lines before and after)
+  const contextStart = Math.max(0, lineNumber - 5)
+  const contextEnd = Math.min(lines.length, lineNumber + 5)
+  const context = lines.slice(contextStart, contextEnd).join('\n')
+  // Context indicators of cosmetic use
+  const cosmeticContextPatterns = [
+    // UI component files - REMOVED, let severity classification handle these
+    // Style-related variables/functions
+    /\b(style|styles|css|className|animation|transition)/i,
+    /\b(width|height|opacity|color|transform|rotate|scale|translate)/i,
+    // Demo/example data
+    /\b(demo|example|placeholder|mock|fake|sample|test)Data/i,
+    /\b(random|shuffle|pick|choose).*\b(color|item|element|option)/i,
+    // Animation/timing
+    /setTimeout.*Math\.random/i,
+    /setInterval.*Math\.random/i,
+    /delay.*Math\.random/i,
+    /duration.*Math\.random/i,
+    // UI state variations
+    /\b(variant|theme|layout|position).*Math\.random/i,
+    // NOTE: Removed UI identifier patterns (key, id, tempId, etc.) - these should be
+    // classified with info/low severity by the severity classification logic, not skipped entirely
+  ]
+  if (cosmeticContextPatterns.some(p => p.test(context))) {
+    return true
+  }
+  // Security-sensitive patterns that override cosmetic detection
+  const securityPatterns = [
+    /\b(token|secret|key|password|credential|signature)/i,
+    /\b(auth|crypto|encrypt|decrypt|hash)/i,
+    /\b(session|nonce|salt)\b/i,
+    /Math\.random.*\*\s*1e\d+/, // Math.random() * 1e16 (large numbers for IDs)
+  ]
+  if (securityPatterns.some(p => p.test(lineContent) || p.test(context))) {
+    return false // Not cosmetic - this is security-sensitive
+  }
+  // Check for .toString(36) WITHOUT substring/slice/substr (security token pattern)
+  // If it has substring/slice/substr, it's already caught by cosmeticLinePatterns above
+  const hasToString36WithoutTruncation =
+    /Math\.random\(\)\.toString\(36\)/.test(lineContent) &&
+    !/\.(substring|substr|slice)\(/.test(lineContent)
+  const hasToString16WithoutTruncation =
+    /Math\.random\(\)\.toString\(16\)/.test(lineContent) &&
+    !/\.(substring|substr|slice)\(/.test(lineContent)
+  if (hasToString36WithoutTruncation || hasToString16WithoutTruncation) {
+    return false // Full-length toString() without truncation - likely security token
+  }
+  return false // Default to flagging if unclear
+}
+/**
+ * Classify function intent based on function name
+ * Used to determine if Math.random() usage is legitimate
+ */
+export function classifyFunctionIntent(
+  functionName: string | null
+): 'uuid' | 'captcha' | 'demo' | 'security' | 'unknown' {
+  if (!functionName) return 'unknown'
+  const lower = functionName.toLowerCase()
+  // UUID/ID generation (UI correlation, not security)
+  // Check for specific UUID patterns and generic ID generation functions
+  const uuidPatterns = ['uuid', 'guid', 'uniqueid', 'correlationid', 'tempid', 'temp_id']
+  // Match patterns like generateId, generateTempId, createId, etc.
+  const idGenerationPatterns = /^(generate|create|make|build)(\w*)?(id|identifier)$/i
+  if (
+    uuidPatterns.some(p => lower.includes(p)) ||
+    idGenerationPatterns.test(lower)
+  ) {
+    return 'uuid'
+  }
+  // CAPTCHA/puzzle generation (legitimate non-security)
+  const captchaPatterns = ['captcha', 'puzzle', 'mathproblem']
+  // Also check for 'challenge' but only if not in security context
+  if (captchaPatterns.some(p => lower.includes(p))) return 'captcha'
+  if (lower.includes('challenge') && !lower.includes('auth')) return 'captcha'
+  // Demo/seed/fixture data
+  const demoPatterns = ['seed', 'fixture', 'demo', 'mock', 'fake']
+  if (demoPatterns.some(p => lower.includes(p))) return 'demo'
+  // Security-sensitive (check this after id generation to avoid false positives)
+  const securityPatterns = [
+    'token',
+    'secret',
+    'key',
+    'password',
+    'credential',
+    'signature',
+  ]
+  // Also match generate/create + security term combinations
+  const securityFunctionPattern =
+    /^(generate|create|make)(token|secret|key|session|password|credential)/i
+  if (
+    securityPatterns.some(p => lower.includes(p)) ||
+    securityFunctionPattern.test(lower)
+  ) {
+    return 'security'
+  }
+  return 'unknown'
+}
+/**
+ * Analyze toString() pattern in Math.random() usage
+ * Determines intent based on base and truncation length
+ */
+export function analyzeToStringPattern(lineContent: string): {
+  hasToString: boolean
+  base: number | null
+  isTruncated: boolean
+  truncationLength: number | null
+  intent: 'short-ui-id' | 'business-id' | 'full-token' | 'unknown'
+} {
+  const toString36Match = lineContent.match(/Math\.random\(\)\.toString\(36\)/)
+  const toString16Match = lineContent.match(/Math\.random\(\)\.toString\(16\)/)
+  if (!toString36Match && !toString16Match) {
+    return {
+      hasToString: false,
+      base: null,
+      isTruncated: false,
+      truncationLength: null,
+      intent: 'unknown',
+    }
+  }
+  const base = toString36Match ? 36 : 16
+  // Check for truncation methods
+  const substringMatch = lineContent.match(
+    /\.substring\((\d+)(?:,\s*(\d+))?\)/
+  )
+  const sliceMatch = lineContent.match(/\.slice\((\d+)(?:,\s*(\d+))?\)/)
+  const substrMatch = lineContent.match(/\.substr\((\d+)(?:,\s*(\d+))?\)/)
+  const truncMatch = substringMatch || sliceMatch || substrMatch
+  if (!truncMatch) {
+    return {
+      hasToString: true,
+      base,
+      isTruncated: false,
+      truncationLength: null,
+      intent: 'full-token',
+    }
+  }
+  // Calculate truncation length
+  const start = parseInt(truncMatch[1])
+  const end = truncMatch[2] ? parseInt(truncMatch[2]) : null
+  // If no end specified (e.g., .substring(7)), the result is from start to end of string
+  // Math.random().toString(36) produces ~11 chars like "0.abc123def"
+  // .substring(2) gives ~9 chars, .substring(7) gives ~4 chars
+  // Estimate remaining length: ~11 - start
+  const estimatedFullLength = 11
+  const length = end ? end - start : (start >= 2 ? estimatedFullLength - start : null)
+  // Classify intent by length
+  // Short (2-9 chars): UI correlation IDs, React keys
+  // Medium (10-15 chars): Business IDs, order numbers
+  if (length && length <= 9) {
+    return {
+      hasToString: true,
+      base,
+      isTruncated: true,
+      truncationLength: length,
+      intent: 'short-ui-id',
+    }
+  } else if (length && length <= 15) {
+    return {
+      hasToString: true,
+      base,
+      isTruncated: true,
+      truncationLength: length,
+      intent: 'business-id',
+    }
+  } else {
+    return {
+      hasToString: true,
+      base,
+      isTruncated: true,
+      truncationLength: length,
+      intent: 'business-id',
+    }
+  }
+}
+/**
+ * Extract variable name from Math.random() assignment
+ * Examples:
+ *   const token = Math.random() -> "token"
+ *   const businessId = Math.random().toString(36) -> "businessId"
+ *   return Math.random() -> null (no variable)
+ */
+export function extractMathRandomVariableName(
+  lineContent: string
+): string | null {
+  // const/let/var variableName = Math.random...
+  const assignmentMatch = lineContent.match(
+    /(?:const|let|var)\s+(\w+)\s*=.*Math\.random/
+  )
+  if (assignmentMatch) return assignmentMatch[1]
+  // object.property = Math.random...
+  const propertyMatch = lineContent.match(/(\w+)\s*[:=]\s*Math\.random/)
+  if (propertyMatch) return propertyMatch[1]
+  // function parameter default: functionName(param = Math.random())
+  const paramMatch = lineContent.match(/(\w+)\s*=\s*Math\.random/)
+  if (paramMatch) return paramMatch[1]
+  return null // No variable name found
+}
+/**
+ * Classify variable name security risk based on naming patterns
+ *
+ * High risk: Security-sensitive names (token, secret, key, etc.)
+ * Medium risk: Unclear context
+ * Low risk: Non-security names (id, businessId, orderId, etc.)
+ */
+export function classifyVariableNameRisk(
+  varName: string | null
+): 'high' | 'medium' | 'low' {
+  if (!varName) return 'medium' // Unknown usage, moderate risk
+  const lower = varName.toLowerCase()
+  // High risk: security-sensitive variable names
+  // Note: 'key' alone is NOT included - it often means React key, not crypto key
+  // Instead, we match specific security key patterns
+  const highRiskPatterns = [
+    'token',
+    'secret',
+    'password',
+    'credential',
+    'signature',
+    'salt',
+    'nonce',
+    'session',
+    'csrf',
+    'auth',
+    'apikey',
+    'secretkey',
+    'privatekey',
+    'encryptionkey',
+    'accesstoken',
+    'refreshtoken',
+    'jwt',
+    'bearer',
+    'oauth',
+    'sessionid',
+  ]
+  if (highRiskPatterns.some(p => lower.includes(p))) {
+    return 'high'
+  }
+  // Low risk: clearly non-security contexts
+  const lowRiskPatterns = [
+    // Business identifiers
+    'id',
+    'uid',
+    'guid',
+    'business',
+    'order',
+    'invoice',
+    'customer',
+    'user',
+    'product',
+    'item',
+    'transaction',
+    'request',
+    'reference',
+    'tracking',
+    'confirmation',
+    // Test/demo data
+    'test',
+    'mock',
+    'demo',
+    'sample',
+    'example',
+    'fixture',
+    'random',
+    'temp',
+    'temporary',
+    'generated',
+    'dummy',
+    // UI identifiers (checked after high-risk, so 'apikey' etc. already caught)
+    'key',
+    'toast',
+    'notification',
+    'element',
+    'component',
+    'widget',
+    'modal',
+    'dialog',
+    'popup',
+    'unique',
+    'react',
+    // Non-security randomness usage (backoff/sampling/experiments)
+    'jitter',
+    'retry',
+    'backoff',
+    'delay',
+    'timeout',
+    'latency',
+    'sample',
+    'sampling',
+    'probability',
+    'chance',
+    'rollout',
+    'experiment',
+    'abtest',
+    'cohort',
+    'bucket',
+    'variant',
+  ]
+  if (lowRiskPatterns.some(p => lower.includes(p))) {
+    return 'low'
+  }
+  return 'medium' // Unclear context, moderate risk
+}
+/**
+ * Analyze surrounding code context for security signals
+ * Returns context type and description for severity classification
+ */
+export function analyzeMathRandomContext(
+  content: string,
+  filePath: string,
+  lineNumber: number
+): {
+  inSecurityContext: boolean
+  inTestContext: boolean
+  inUIContext: boolean
+  inBusinessLogicContext: boolean
+  contextDescription: string
+} {
+  const lines = content.split('\n')
+  const start = Math.max(0, lineNumber - 10)
+  const end = Math.min(lines.length, lineNumber + 5)
+  const context = lines.slice(start, end).join('\n')
+  // Security context indicators (functions, imports, comments)
+  const securityPatterns = [
+    /\b(generate|create)(Token|Secret|Key|Password|Nonce|Salt|Session|Signature)/i,
+    /\b(auth|crypto|encrypt|decrypt|hash|sign)\b/i,
+    /function\s+.*(?:token|secret|key|auth|crypto)/i,
+    /\bimport.*(?:crypto|jsonwebtoken|bcrypt|argon2|jose)/i,
+    /\/\*.*(?:security|authentication|cryptograph|authorization)/i,
+    /\/\/.*(?:security|auth|crypto|token|secret)/i,
+  ]
+  const inSecurityContext = securityPatterns.some(p => p.test(context))
+  // Test context
+  const testFilePatterns = /\.(test|spec)\.(ts|tsx|js|jsx)$/i
+  const testContextPatterns = [
+    /\b(describe|it|test|expect|mock|jest|vitest|mocha|chai)\b/i,
+    /\b(beforeEach|afterEach|beforeAll|afterAll)\b/i,
+    /\b(fixture|stub|spy)\b/i,
+  ]
+  const inTestContext =
+    testFilePatterns.test(filePath) ||
+    testContextPatterns.some(p => p.test(context))
+  // UI/cosmetic context (reuse existing logic)
+  const lineContent = lines[lineNumber]
+  const inUIContext = isCosmeticMathRandom(lineContent, content, lineNumber)
+  // Business logic context (non-security ID generation)
+  // Note: UUID/CAPTCHA patterns excluded - handled by functionIntent classification
+  const businessLogicPatterns = [
+    /\b(business|order|invoice|customer|product|transaction)Id\b/i,
+    /\b(reference|tracking|confirmation)Number\b/i,
+    /\b(backoff|retry|jitter|delay|timeout|latency)\b/i,
+    /\b(sample|sampling|probability|chance|rollout|experiment|abtest|cohort|bucket|variant)\b/i,
+  ]
+  const inBusinessLogicContext =
+    businessLogicPatterns.some(p => p.test(context)) && !inSecurityContext
+  // Determine context description
+  let contextDescription = 'unknown context'
+  if (inSecurityContext) {
+    contextDescription = 'security-sensitive function'
+  } else if (inTestContext) {
+    contextDescription = 'test/mock data generation'
+  } else if (inUIContext) {
+    contextDescription = 'UI/cosmetic usage'
+  } else if (inBusinessLogicContext) {
+    contextDescription = 'non-security usage'
+  }
+  return {
+    inSecurityContext,
+    inTestContext,
+    inUIContext,
+    inBusinessLogicContext,
+    contextDescription,
+  }
+}
+/**
+ * Check if Math.random() should be skipped entirely
+ * Returns true for seed files, test fixtures, captcha/puzzle, uuid, and pure cosmetic uses
+ */
+export function shouldSkipMathRandom(
+  content: string,
+  filePath: string,
+  lineNumber: number
+): boolean {
+  // Seed/data generation files - skip entirely
+  if (isSeedOrDataGenFile(filePath)) {
+    return true
+  }
+  // Educational/intentional vulnerability files - skip entirely
+  // These include OWASP Juice Shop, intentionally-vulnerable examples, etc.
+  if (isEducationalVulnerabilityFile(filePath)) {
+    return true
+  }
+  // Test files with test fixture patterns
+  if (isTestOrMockFile(filePath)) {
+    const lines = content.split('\n')
+    const line = lines[lineNumber]
+    // If in a test file and generating test data, skip
+    if (
+      /\b(mock|fake|fixture|test)Data/i.test(line) ||
+      /\b(it|test|describe)\s*\(/.test(line)
+    ) {
+      return true
+    }
+  }
+  // Pure cosmetic usage (CSS values, animations)
+  const lines = content.split('\n')
+  const lineContent = lines[lineNumber] || ''
+  if (isCosmeticMathRandom(lineContent, content, lineNumber)) {
+    // Additional check: if this is for animation/style, truly skip
+    const pureStylePatterns = [
+      /\.style\./,
+      /animation/i,
+      /transform/i,
+      /opacity/i,
+      /\brgb/i,
+      /\bhsl/i,
+    ]
+    if (pureStylePatterns.some(p => p.test(lineContent))) {
+      return true
+    }
+  }
+  // Check function context for demo/seed/captcha/uuid functions
+  const functionName = extractFunctionContext(content, lineNumber)
+  const functionIntent = classifyFunctionIntent(functionName)
+  // Skip demo, captcha, and uuid functions entirely - these are legitimate uses
+  if (functionIntent === 'demo' || functionIntent === 'captcha' || functionIntent === 'uuid') {
+    return true
+  }
+  return false
+}