npm - @oculum/scanner - Versions diffs - 1.0.9 → 1.0.11 - Mend

@oculum/scanner 1.0.9 → 1.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (365) hide show

package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +1 -1
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +75 -11
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/index.d.ts +1 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +4 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +155 -16
package/dist/index.js.map +1 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +20 -3
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +20 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +9 -1
package/dist/layer1/index.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +303 -0
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +17 -3
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +462 -12
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +3 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +17 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +679 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +19 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +696 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +495 -9
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +372 -1
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +4 -0
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +3 -0
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +29 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +179 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +13 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +621 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +61 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +459 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +161 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +23 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +149 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +124 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +89 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +3 -0
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +3 -0
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +3 -0
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +61 -2
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +4 -0
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +20 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +376 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +4 -0
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +4 -0
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +188 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +1 -1
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +27 -0
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +62 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js.map +1 -1
package/dist/utils/context-helpers.d.ts +4 -0
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +13 -9
package/dist/utils/context-helpers.js.map +1 -1
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +18 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +758 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +79 -11
package/src/formatters/index.ts +4 -0
package/src/index.ts +197 -14
package/src/layer1/config-audit.ts +24 -3
package/src/layer1/config-mcp-audit.ts +276 -0
package/src/layer1/index.ts +16 -6
package/src/layer2/ai-agent-tools.ts +336 -0
package/src/layer2/ai-endpoint-protection.ts +16 -3
package/src/layer2/ai-execution-sinks.ts +516 -12
package/src/layer2/ai-fingerprinting.ts +5 -1
package/src/layer2/ai-mcp-security.ts +730 -0
package/src/layer2/ai-package-hallucination.ts +791 -0
package/src/layer2/ai-prompt-hygiene.ts +547 -9
package/src/layer2/ai-rag-safety.ts +382 -3
package/src/layer2/auth-antipatterns.ts +5 -0
package/src/layer2/byok-patterns.ts +5 -1
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +220 -0
package/src/layer2/dangerous-functions/index.ts +949 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +537 -0
package/src/layer2/dangerous-functions/patterns.ts +174 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +162 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +91 -0
package/src/layer2/data-exposure.ts +5 -1
package/src/layer2/framework-checks.ts +5 -0
package/src/layer2/index.ts +63 -1
package/src/layer2/logic-gates.ts +5 -0
package/src/layer2/model-supply-chain.ts +456 -0
package/src/layer2/risky-imports.ts +5 -0
package/src/layer2/variables.ts +5 -0
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +212 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +36 -0
package/src/types.ts +90 -0
package/src/utils/context-helpers.ts +13 -9
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/suppression/inline-parser.ts ADDED Viewed

@@ -0,0 +1,273 @@
+/**
+ * Inline Suppression Comment Parser
+ * Parses oculum-ignore comments from source code
+ */
+import type { InlineSuppression } from './types'
+import type { VulnerabilityCategory } from '../types'
+/**
+ * Valid suppression comment patterns:
+ *
+ * Single-line suppressions:
+ *   // oculum-ignore-next-line: reason here
+ *   // oculum-ignore-next-line [rule-id]: reason here
+ *   code // oculum-ignore: reason here
+ *   code // oculum-ignore [rule-id]: reason here
+ *
+ * Block suppressions:
+ *   /* oculum-ignore-block: reason here * /
+ *   ... code ...
+ *   /* oculum-ignore-block-end * /
+ *
+ * Also supports:
+ *   # oculum-ignore-next-line: reason (Python, Ruby, YAML, etc.)
+ *   -- oculum-ignore-next-line: reason (SQL)
+ */
+// Regex patterns for parsing comments
+const PATTERNS = {
+  // // oculum-ignore-next-line: reason
+  // // oculum-ignore-next-line [rule-id]: reason
+  nextLine: /(?:\/\/|#|--)\s*oculum-ignore-next-line(?:\s*\[([^\]]+)\])?\s*:\s*(.+)/i,
+  // code // oculum-ignore: reason
+  // code // oculum-ignore [rule-id]: reason
+  sameLine: /(?:\/\/|#|--)\s*oculum-ignore(?:\s*\[([^\]]+)\])?\s*:\s*(.+)/i,
+  // /* oculum-ignore-block: reason */
+  // /* oculum-ignore-block [rule-id]: reason */
+  blockStart: /\/\*\s*oculum-ignore-block(?:\s*\[([^\]]+)\])?\s*:\s*([^*]+)\*\//i,
+  // /* oculum-ignore-block-end */
+  blockEnd: /\/\*\s*oculum-ignore-block-end\s*\*\//i,
+}
+/**
+ * Parse a single line for suppression comments
+ */
+function parseLineForSuppression(
+  line: string,
+  lineNumber: number
+): InlineSuppression | null {
+  // Check for next-line suppression (must be the only thing on the line, aside from whitespace)
+  const trimmed = line.trim()
+  // Next-line pattern (comment at start of line)
+  if (
+    trimmed.startsWith('//') ||
+    trimmed.startsWith('#') ||
+    trimmed.startsWith('--')
+  ) {
+    const nextLineMatch = trimmed.match(PATTERNS.nextLine)
+    if (nextLineMatch) {
+      return {
+        lineNumber,
+        type: 'next-line',
+        ruleId: nextLineMatch[1] as VulnerabilityCategory | undefined,
+        reason: nextLineMatch[2].trim(),
+        commentText: trimmed,
+      }
+    }
+  }
+  // Same-line pattern (comment at end of line with code before)
+  // Only check if there's actual code before the comment
+  const sameLineMatch = line.match(PATTERNS.sameLine)
+  if (sameLineMatch) {
+    // Find where the comment starts
+    const commentIndex = line.search(/(?:\/\/|#|--)\s*oculum-ignore/i)
+    const beforeComment = line.substring(0, commentIndex).trim()
+    // Only treat as same-line if there's code before the comment
+    // (not just whitespace or if it's at the start)
+    if (beforeComment.length > 0) {
+      return {
+        lineNumber,
+        type: 'same-line',
+        ruleId: sameLineMatch[1] as VulnerabilityCategory | undefined,
+        reason: sameLineMatch[2].trim(),
+        commentText: line.substring(commentIndex).trim(),
+      }
+    }
+  }
+  // Block start pattern
+  const blockStartMatch = line.match(PATTERNS.blockStart)
+  if (blockStartMatch) {
+    return {
+      lineNumber,
+      type: 'block-start',
+      ruleId: blockStartMatch[1] as VulnerabilityCategory | undefined,
+      reason: blockStartMatch[2].trim(),
+      commentText: blockStartMatch[0],
+    }
+  }
+  // Block end pattern
+  const blockEndMatch = line.match(PATTERNS.blockEnd)
+  if (blockEndMatch) {
+    return {
+      lineNumber,
+      type: 'block-end',
+      reason: '', // Block end has no reason
+      commentText: blockEndMatch[0],
+    }
+  }
+  return null
+}
+/**
+ * Parse all inline suppressions from file content
+ *
+ * Returns a map of line numbers to their effective suppressions.
+ * A line can be suppressed by:
+ * 1. A same-line comment (oculum-ignore)
+ * 2. A next-line comment on the previous line (oculum-ignore-next-line)
+ * 3. Being within a block suppression (oculum-ignore-block ... oculum-ignore-block-end)
+ */
+export function parseInlineSuppressions(content: string): Map<number, InlineSuppression> {
+  const lines = content.split('\n')
+  const suppressions = new Map<number, InlineSuppression>()
+  // Track block suppression state
+  let currentBlock: { startLine: number; reason: string; ruleId?: VulnerabilityCategory } | null = null
+  for (let i = 0; i < lines.length; i++) {
+    const lineNumber = i + 1 // 1-indexed
+    const line = lines[i]
+    const suppression = parseLineForSuppression(line, lineNumber)
+    if (suppression) {
+      switch (suppression.type) {
+        case 'next-line':
+          // Apply to the next line
+          if (i + 1 < lines.length) {
+            suppressions.set(lineNumber + 1, {
+              ...suppression,
+              lineNumber: lineNumber + 1,
+            })
+          }
+          break
+        case 'same-line':
+          // Apply to this line
+          suppressions.set(lineNumber, suppression)
+          break
+        case 'block-start':
+          // Start tracking block suppression
+          currentBlock = {
+            startLine: lineNumber,
+            reason: suppression.reason,
+            ruleId: suppression.ruleId,
+          }
+          break
+        case 'block-end':
+          // End block suppression
+          currentBlock = null
+          break
+      }
+    }
+    // If we're in a block suppression, add suppression for this line
+    // (unless it's the block start/end line itself)
+    if (currentBlock && suppression?.type !== 'block-start' && suppression?.type !== 'block-end') {
+      // Don't override explicit same-line suppressions
+      if (!suppressions.has(lineNumber)) {
+        suppressions.set(lineNumber, {
+          lineNumber,
+          type: 'block-start', // Mark as from block
+          reason: currentBlock.reason,
+          ruleId: currentBlock.ruleId,
+          commentText: `Block suppression from line ${currentBlock.startLine}`,
+        })
+      }
+    }
+  }
+  return suppressions
+}
+/**
+ * Check if a specific line is suppressed
+ */
+export function isLineSuppressed(
+  suppressions: Map<number, InlineSuppression>,
+  lineNumber: number,
+  category?: VulnerabilityCategory
+): InlineSuppression | null {
+  const suppression = suppressions.get(lineNumber)
+  if (!suppression) {
+    return null
+  }
+  // If suppression specifies a rule and category doesn't match, not suppressed
+  if (suppression.ruleId && category && suppression.ruleId !== category) {
+    return null
+  }
+  return suppression
+}
+/**
+ * Extract all unique suppression reasons from a file
+ * Useful for auditing suppressed findings
+ */
+export function extractSuppressionReasons(content: string): Array<{
+  reason: string
+  ruleId?: VulnerabilityCategory
+  lineNumber: number
+  type: InlineSuppression['type']
+}> {
+  const suppressions = parseInlineSuppressions(content)
+  const seen = new Set<string>()
+  const results: Array<{
+    reason: string
+    ruleId?: VulnerabilityCategory
+    lineNumber: number
+    type: InlineSuppression['type']
+  }> = []
+  for (const [lineNumber, suppression] of suppressions) {
+    // Only include unique comment sources (not duplicates from block propagation)
+    const key = `${suppression.commentText}`
+    if (!seen.has(key) && suppression.type !== 'block-end') {
+      seen.add(key)
+      results.push({
+        reason: suppression.reason,
+        ruleId: suppression.ruleId,
+        lineNumber,
+        type: suppression.type,
+      })
+    }
+  }
+  return results
+}
+/**
+ * Generate a suppression comment for a given line
+ */
+export function generateSuppressionComment(
+  reason: string,
+  options: {
+    type?: 'next-line' | 'same-line'
+    ruleId?: VulnerabilityCategory
+    commentStyle?: '//' | '#' | '--'
+  } = {}
+): string {
+  const { type = 'next-line', ruleId, commentStyle = '//' } = options
+  const ruleSpec = ruleId ? ` [${ruleId}]` : ''
+  if (type === 'next-line') {
+    return `${commentStyle} oculum-ignore-next-line${ruleSpec}: ${reason}`
+  }
+  return `${commentStyle} oculum-ignore${ruleSpec}: ${reason}`
+}

package/src/suppression/manager.ts ADDED Viewed

@@ -0,0 +1,379 @@
+/**
+ * Suppression Manager
+ * Central class for managing all suppression logic
+ */
+import { minimatch } from 'minimatch'
+import type { Vulnerability, ScanFile } from '../types'
+import type {
+  SuppressionConfig,
+  SuppressionMatch,
+  SuppressionResult,
+  SuppressedVulnerability,
+  InlineSuppression,
+  RuleSuppression,
+  FindingSuppression,
+} from './types'
+import { loadSuppressionConfig, isExpired } from './config-loader'
+import { parseInlineSuppressions, isLineSuppressed } from './inline-parser'
+import { computeFindingHash, normalizePathForHash } from './hash'
+/**
+ * Options for SuppressionManager
+ */
+export interface SuppressionManagerOptions {
+  /** Path to the project root (for finding config files) */
+  projectPath: string
+  /** Optional pre-loaded config (skips file loading) */
+  config?: SuppressionConfig
+  /** Whether to include expired suppressions (for auditing) */
+  includeExpired?: boolean
+}
+/**
+ * SuppressionManager handles all suppression logic
+ *
+ * Priority order for suppressions:
+ * 1. Inline comment suppressions (highest priority)
+ * 2. Config file finding suppressions (by hash)
+ * 3. Config file rule suppressions (by category)
+ */
+export class SuppressionManager {
+  private config: SuppressionConfig
+  private configPath: string | undefined
+  private configErrors: string[]
+  private includeExpired: boolean
+  private projectPath: string
+  // Cache for inline suppressions by file path
+  private inlineSuppressionCache: Map<string, Map<number, InlineSuppression>> = new Map()
+  constructor(options: SuppressionManagerOptions) {
+    this.projectPath = options.projectPath
+    this.includeExpired = options.includeExpired ?? false
+    if (options.config) {
+      this.config = options.config
+      this.configPath = undefined
+      this.configErrors = []
+    } else {
+      const result = loadSuppressionConfig(options.projectPath)
+      this.config = result.config
+      this.configPath = result.configPath
+      this.configErrors = result.errors
+    }
+  }
+  /**
+   * Get configuration errors (if any)
+   */
+  getConfigErrors(): string[] {
+    return this.configErrors
+  }
+  /**
+   * Get the path to the config file (if found)
+   */
+  getConfigPath(): string | undefined {
+    return this.configPath
+  }
+  /**
+   * Check if a file path should be ignored entirely
+   */
+  isPathIgnored(filePath: string): boolean {
+    if (!this.config.ignore || this.config.ignore.length === 0) {
+      return false
+    }
+    const normalizedPath = normalizePathForHash(filePath)
+    return this.config.ignore.some(pattern =>
+      minimatch(normalizedPath, pattern, { dot: true })
+    )
+  }
+  /**
+   * Parse inline suppressions for a file
+   */
+  private getInlineSuppressions(
+    filePath: string,
+    content: string
+  ): Map<number, InlineSuppression> {
+    // Check cache first
+    const cached = this.inlineSuppressionCache.get(filePath)
+    if (cached) {
+      return cached
+    }
+    // Parse and cache
+    const suppressions = parseInlineSuppressions(content)
+    this.inlineSuppressionCache.set(filePath, suppressions)
+    return suppressions
+  }
+  /**
+   * Check if a finding is suppressed
+   *
+   * Priority:
+   * 1. Inline comment (highest)
+   * 2. Config finding suppression (by hash)
+   * 3. Config rule suppression (by category)
+   */
+  isFindingSuppressed(
+    finding: Vulnerability,
+    fileContent?: string
+  ): SuppressionMatch {
+    const hash = computeFindingHash(finding)
+    const normalizedPath = normalizePathForHash(finding.filePath)
+    // 1. Check inline suppressions (if file content provided)
+    if (fileContent) {
+      const inlineSuppressions = this.getInlineSuppressions(finding.filePath, fileContent)
+      const inlineSuppression = isLineSuppressed(
+        inlineSuppressions,
+        finding.lineNumber,
+        finding.category
+      )
+      if (inlineSuppression) {
+        return {
+          suppressed: true,
+          match: {
+            type: 'inline',
+            reason: inlineSuppression.reason,
+          },
+          hash,
+        }
+      }
+    }
+    // 2. Check config finding suppressions (by hash)
+    const findingSuppressions = this.config.suppressions?.findings || []
+    const findingSuppression = findingSuppressions.find(s => s.hash === hash)
+    if (findingSuppression) {
+      const expired = isExpired(findingSuppression.expires)
+      if (expired && !this.includeExpired) {
+        // Expired - not suppressed
+        return {
+          suppressed: false,
+          match: {
+            type: 'config-finding',
+            reason: findingSuppression.reason,
+            expires: findingSuppression.expires,
+            expired: true,
+          },
+          hash,
+        }
+      }
+      return {
+        suppressed: true,
+        match: {
+          type: 'config-finding',
+          reason: findingSuppression.reason,
+          expires: findingSuppression.expires,
+          expired,
+        },
+        hash,
+      }
+    }
+    // 3. Check config rule suppressions (by category)
+    const ruleSuppressions = this.config.suppressions?.rules || []
+    const ruleSuppression = ruleSuppressions.find(s => {
+      // Must match category
+      if (s.category !== finding.category) {
+        return false
+      }
+      // If paths specified, must match one of them
+      if (s.paths && s.paths.length > 0) {
+        const matchesPath = s.paths.some(pattern =>
+          minimatch(normalizedPath, pattern, { dot: true })
+        )
+        if (!matchesPath) {
+          return false
+        }
+      }
+      return true
+    })
+    if (ruleSuppression) {
+      const expired = isExpired(ruleSuppression.expires)
+      if (expired && !this.includeExpired) {
+        // Expired - not suppressed
+        return {
+          suppressed: false,
+          match: {
+            type: 'config-rule',
+            reason: ruleSuppression.reason,
+            expires: ruleSuppression.expires,
+            expired: true,
+          },
+          hash,
+        }
+      }
+      return {
+        suppressed: true,
+        match: {
+          type: 'config-rule',
+          reason: ruleSuppression.reason,
+          expires: ruleSuppression.expires,
+          expired,
+        },
+        hash,
+      }
+    }
+    // Not suppressed
+    return {
+      suppressed: false,
+      hash,
+    }
+  }
+  /**
+   * Apply suppressions to a list of findings
+   */
+  applySuppressions(
+    findings: Vulnerability[],
+    files: ScanFile[]
+  ): SuppressionResult {
+    // Build file content lookup
+    const fileContentMap = new Map<string, string>()
+    for (const file of files) {
+      fileContentMap.set(normalizePathForHash(file.path), file.content)
+    }
+    const passed: Vulnerability[] = []
+    const suppressed: SuppressedVulnerability[] = []
+    let expiredCount = 0
+    const stats = {
+      total: findings.length,
+      inlineSuppressed: 0,
+      configFindingSuppressed: 0,
+      configRuleSuppressed: 0,
+      expired: 0,
+    }
+    for (const finding of findings) {
+      // Get file content for inline suppression checking
+      const normalizedPath = normalizePathForHash(finding.filePath)
+      const fileContent = fileContentMap.get(normalizedPath)
+      const result = this.isFindingSuppressed(finding, fileContent)
+      if (result.suppressed) {
+        suppressed.push({
+          vulnerability: {
+            id: finding.id,
+            filePath: finding.filePath,
+            lineNumber: finding.lineNumber,
+            category: finding.category,
+            severity: finding.severity,
+            title: finding.title,
+          },
+          suppression: {
+            type: result.match!.type,
+            reason: result.match!.reason,
+            expires: result.match!.expires,
+            hash: result.hash,
+          },
+        })
+        // Update stats
+        switch (result.match!.type) {
+          case 'inline':
+            stats.inlineSuppressed++
+            break
+          case 'config-finding':
+            stats.configFindingSuppressed++
+            break
+          case 'config-rule':
+            stats.configRuleSuppressed++
+            break
+        }
+      } else {
+        passed.push(finding)
+        // Track expired suppressions
+        if (result.match?.expired) {
+          expiredCount++
+          stats.expired++
+        }
+      }
+    }
+    return {
+      findings: passed,
+      suppressed,
+      expiredSuppressions: expiredCount,
+      stats,
+    }
+  }
+  /**
+   * Get all suppressions from config
+   */
+  getAllSuppressions(): {
+    rules: RuleSuppression[]
+    findings: FindingSuppression[]
+  } {
+    return {
+      rules: this.config.suppressions?.rules || [],
+      findings: this.config.suppressions?.findings || [],
+    }
+  }
+  /**
+   * Get ignore patterns from config
+   */
+  getIgnorePatterns(): string[] {
+    return this.config.ignore || []
+  }
+  /**
+   * Check if suppression system is active (has any suppressions)
+   */
+  hasSuppressions(): boolean {
+    const rules = this.config.suppressions?.rules || []
+    const findings = this.config.suppressions?.findings || []
+    const ignore = this.config.ignore || []
+    return rules.length > 0 || findings.length > 0 || ignore.length > 0
+  }
+  /**
+   * Get summary of suppression configuration
+   */
+  getSummary(): {
+    configPath: string | undefined
+    ruleCount: number
+    findingCount: number
+    ignorePatternCount: number
+    hasErrors: boolean
+  } {
+    return {
+      configPath: this.configPath,
+      ruleCount: this.config.suppressions?.rules?.length || 0,
+      findingCount: this.config.suppressions?.findings?.length || 0,
+      ignorePatternCount: this.config.ignore?.length || 0,
+      hasErrors: this.configErrors.length > 0,
+    }
+  }
+  /**
+   * Clear the inline suppression cache
+   * (useful if files have been modified)
+   */
+  clearCache(): void {
+    this.inlineSuppressionCache.clear()
+  }
+}