@trust-assurance-protocol/owaspscan 1.0.0

package/dist/analysis/ast-analyzer.d.ts

@@ -0,0 +1,13 @@
+import type { Finding, Rule } from '../types/index.js';
+import type { TaintMap } from '../parsers/ast-queries.js';
+export type { TaintMap };
+type ASTLanguage = 'javascript' | 'typescript' | 'python';
+/**
+ * Run AST-based analysis on source code.
+ * Returns Finding[] — empty array if AST parsing fails (graceful degradation).
+ *
+ * crossFileSources: optional function names from other scanned files that return
+ * tainted data (populated by the two-pass scanDirectory pre-pass).
+ */
+export declare function analyzeAST(code: string, language: ASTLanguage, filePath: string, rules: Rule[], crossFileSources?: TaintMap): Finding[];
+//# sourceMappingURL=ast-analyzer.d.ts.map

package/dist/analysis/ast-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast-analyzer.d.ts","sourceRoot":"","sources":["../../src/analysis/ast-analyzer.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAGvD,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAI1D,YAAY,EAAE,QAAQ,EAAE,CAAC;AAEzB,KAAK,WAAW,GAAG,YAAY,GAAG,YAAY,GAAG,QAAQ,CAAC;AAE1D;;;;;;GAMG;AACH,wBAAgB,UAAU,CACxB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,WAAW,EACrB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,IAAI,EAAE,EACb,gBAAgB,CAAC,EAAE,QAAQ,GAC1B,OAAO,EAAE,CAyCX"}

package/dist/analysis/ast-analyzer.js

@@ -0,0 +1,58 @@
+// ============================================================
+// AST Analyzer — converts AST findings into Finding objects
+//
+// Integrates both direct detection and AST-based taint propagation.
+// Runs before regex so that AST findings take priority.
+// Falls back silently if tree-sitter is unavailable.
+// ============================================================
+import { parseCode } from '../parsers/ast-parser.js';
+import { findVulnerableCalls } from '../parsers/ast-queries.js';
+import { isSuppressed } from '../utils/suppression.js';
+import { registry } from '../rules/registry.js';
+/**
+ * Run AST-based analysis on source code.
+ * Returns Finding[] — empty array if AST parsing fails (graceful degradation).
+ *
+ * crossFileSources: optional function names from other scanned files that return
+ * tainted data (populated by the two-pass scanDirectory pre-pass).
+ */
+export function analyzeAST(code, language, filePath, rules, crossFileSources) {
+    // Try to parse; if it fails (native module missing, parse error), return empty
+    const tree = parseCode(code, language);
+    if (!tree)
+        return [];
+    const activeRuleIds = new Set(rules.map((r) => r.id));
+    const lines = code.split('\n');
+    const findings = [];
+    const astFindings = findVulnerableCalls(tree.rootNode, language, lines, crossFileSources);
+    for (const af of astFindings) {
+        // Only emit if the rule is in the active set
+        if (!activeRuleIds.has(af.ruleId))
+            continue;
+        // Check suppression comments
+        if (isSuppressed(lines, af.line - 1, af.ruleId))
+            continue;
+        const rule = registry.getById(af.ruleId);
+        if (!rule)
+            continue;
+        findings.push({
+            ruleId: af.ruleId,
+            ruleName: rule.name,
+            owasp: af.owasp,
+            cwe: rule.cwe,
+            severity: af.severity,
+            filePath,
+            line: af.line,
+            column: af.column,
+            snippet: af.snippet,
+            message: `[AST] ${af.description}`,
+            fix: rule.fix,
+            references: rule.references,
+            confidence: af.suppressedByMiddleware ? 'LOW' : 'HIGH',
+            analysisMethod: 'ast',
+            taintPath: af.taintPath,
+        });
+    }
+    return findings;
+}
+//# sourceMappingURL=ast-analyzer.js.map

package/dist/analysis/ast-analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast-analyzer.js","sourceRoot":"","sources":["../../src/analysis/ast-analyzer.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,4DAA4D;AAC5D,EAAE;AACF,oEAAoE;AACpE,wDAAwD;AACxD,qDAAqD;AACrD,+DAA+D;AAG/D,OAAO,EAAE,SAAS,EAAE,MAAM,0BAA0B,CAAC;AACrD,OAAO,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAEhE,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAMhD;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CACxB,IAAY,EACZ,QAAqB,EACrB,QAAgB,EAChB,KAAa,EACb,gBAA2B;IAE3B,+EAA+E;IAC/E,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IACvC,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IAErB,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACtD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,MAAM,WAAW,GAAG,mBAAmB,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC;IAE1F,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,6CAA6C;QAC7C,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC;YAAE,SAAS;QAE5C,6BAA6B;QAC7B,IAAI,YAAY,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC;YAAE,SAAS;QAE1D,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,KAAK,EAAE,EAAE,CAAC,KAAK;YACf,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,QAAQ,EAAE,EAAE,CAAC,QAAQ;YACrB,QAAQ;YACR,IAAI,EAAE,EAAE,CAAC,IAAI;YACb,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,OAAO,EAAE,EAAE,CAAC,OAAO;YACnB,OAAO,EAAE,SAAS,EAAE,CAAC,WAAW,EAAE;YAClC,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,UAAU,EAAE,EAAE,CAAC,sBAAsB,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM;YACtD,cAAc,EAAE,KAAK;YACrB,SAAS,EAAE,EAAE,CAAC,SAAS;SACxB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/analysis/llm-verifier.d.ts

@@ -0,0 +1,17 @@
+import type { ScanResult } from '../types/index.js';
+import type { FailOnLevel } from '../types/index.js';
+export interface LLMVerifierOptions {
+    apiKey?: string;
+    maxCalls?: number;
+    projectRoot?: string;
+}
+/**
+ * Verify low-confidence (MEDIUM, regex-only) findings using Claude.
+ * Returns a new ScanResult with:
+ *   - Confirmed findings: confidence upgraded, analysisMethod = 'llm'
+ *   - Rejected findings: removed
+ *   - HIGH-confidence findings: unchanged (not sent to LLM)
+ */
+export declare function verifyFindings(result: ScanResult, sourceMap: Map<string, string[]>, // filePath → source lines
+options?: LLMVerifierOptions, failOn?: FailOnLevel): Promise<ScanResult>;
+//# sourceMappingURL=llm-verifier.d.ts.map

package/dist/analysis/llm-verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-verifier.d.ts","sourceRoot":"","sources":["../../src/analysis/llm-verifier.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAW,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAG7D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAErD,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAwED;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,UAAU,EAClB,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,EAAE,0BAA0B;AAC5D,OAAO,GAAE,kBAAuB,EAChC,MAAM,GAAE,WAAqB,GAC5B,OAAO,CAAC,UAAU,CAAC,CAoFrB"}

package/dist/analysis/llm-verifier.js

@@ -0,0 +1,152 @@
+// ============================================================
+// LLM Verifier — uses Claude API to confirm/reject low-confidence findings
+//
+// When --ai-verify is set:
+//   1. Finds all MEDIUM-confidence regex findings
+//   2. Sends code context + rule description to Claude
+//   3. On confirmation → upgrades confidence, sets analysisMethod='llm'
+//   4. On rejection → removes the finding from results
+//
+// Requires ANTHROPIC_API_KEY env var.
+// Results are cached in .owaspscan-cache.json (24hr TTL).
+// ============================================================
+import Anthropic from '@anthropic-ai/sdk';
+import { ResultCache } from './result-cache.js';
+import { buildScanResult } from '../utils/scoring.js';
+function buildPrompt(finding, sourceLines) {
+    const startLine = Math.max(0, finding.line - 6);
+    const endLine = Math.min(sourceLines.length, finding.line + 5);
+    const context = sourceLines.slice(startLine, endLine)
+        .map((l, i) => `${startLine + i + 1}: ${l}`)
+        .join('\n');
+    return `You are a security code reviewer. Analyze this potential vulnerability finding:
+
+RULE: ${finding.ruleName} (${finding.ruleId})
+OWASP: ${finding.owasp} | ${finding.cwe}
+SEVERITY: ${finding.severity}
+DESCRIPTION: ${finding.message}
+
+CODE CONTEXT (lines ${startLine + 1}-${endLine}):
+\`\`\`
+${context}
+\`\`\`
+
+FLAGGED LINE ${finding.line}: ${finding.snippet}
+
+Is this a real vulnerability? Consider:
+1. Is the flagged code actually reachable/dangerous?
+2. Is there sanitization, validation, or parameterization nearby?
+3. Could this be a false positive (e.g., test code, commented out, safe usage)?
+
+Respond ONLY with valid JSON (no markdown, no explanation outside JSON):
+{
+  "confirmed": <true|false>,
+  "confidence": "<HIGH|MEDIUM|LOW>",
+  "reason": "<one sentence explanation>",
+  "fix": "<optional: brief fix suggestion if confirmed>"
+}`;
+}
+async function callClaude(client, prompt) {
+    try {
+        const message = await client.messages.create({
+            model: 'claude-sonnet-4-6',
+            max_tokens: 256,
+            messages: [{ role: 'user', content: prompt }],
+        });
+        const text = message.content
+            .filter((b) => b.type === 'text')
+            .map((b) => b.text)
+            .join('');
+        // Extract JSON from response (may have surrounding whitespace)
+        const jsonMatch = /\{[\s\S]*\}/.exec(text);
+        if (!jsonMatch)
+            return null;
+        const parsed = JSON.parse(jsonMatch[0]);
+        if (typeof parsed.confirmed !== 'boolean')
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Verify low-confidence (MEDIUM, regex-only) findings using Claude.
+ * Returns a new ScanResult with:
+ *   - Confirmed findings: confidence upgraded, analysisMethod = 'llm'
+ *   - Rejected findings: removed
+ *   - HIGH-confidence findings: unchanged (not sent to LLM)
+ */
+export async function verifyFindings(result, sourceMap, // filePath → source lines
+options = {}, failOn = 'never') {
+    const apiKey = options.apiKey ?? process.env['ANTHROPIC_API_KEY'];
+    if (!apiKey) {
+        process.stderr.write('Warning: --ai-verify requires ANTHROPIC_API_KEY environment variable\n');
+        return result;
+    }
+    const client = new Anthropic({ apiKey });
+    const cache = new ResultCache(options.projectRoot ?? process.cwd());
+    const maxCalls = options.maxCalls ?? 50;
+    let callCount = 0;
+    const updatedFiles = await Promise.all(result.files.map(async (fileResult) => {
+        const sourceLines = sourceMap.get(fileResult.filePath) ?? [];
+        const updatedFindings = [];
+        for (const finding of fileResult.findings) {
+            // Only verify MEDIUM-confidence regex findings
+            if (finding.confidence !== 'MEDIUM' || finding.analysisMethod !== 'regex') {
+                updatedFindings.push(finding);
+                continue;
+            }
+            // Check cache first
+            const cached = cache.get(finding.ruleId, finding.snippet);
+            if (cached) {
+                if (cached.confirmed) {
+                    updatedFindings.push({
+                        ...finding,
+                        confidence: cached.confidence,
+                        analysisMethod: 'llm',
+                        message: `${finding.message} [AI-verified: ${cached.reason}]`,
+                    });
+                }
+                // Rejected → don't add to updatedFindings
+                continue;
+            }
+            // Rate limit
+            if (callCount >= maxCalls) {
+                updatedFindings.push(finding); // Keep unverified
+                continue;
+            }
+            // Call Claude
+            const prompt = buildPrompt(finding, sourceLines);
+            const verifyResult = await callClaude(client, prompt);
+            callCount++;
+            if (!verifyResult) {
+                updatedFindings.push(finding); // Keep on API failure
+                continue;
+            }
+            // Cache the result
+            cache.set(finding.ruleId, finding.snippet, {
+                confirmed: verifyResult.confirmed,
+                confidence: verifyResult.confidence,
+                reason: verifyResult.reason,
+                fix: verifyResult.fix,
+            });
+            if (verifyResult.confirmed) {
+                updatedFindings.push({
+                    ...finding,
+                    confidence: verifyResult.confidence,
+                    analysisMethod: 'llm',
+                    message: `${finding.message} [AI-verified: ${verifyResult.reason}]`,
+                    fix: verifyResult.fix ? `${verifyResult.fix}\n\n${finding.fix}` : finding.fix,
+                });
+            }
+            // Rejected → don't add
+        }
+        return { ...fileResult, findings: updatedFindings };
+    }));
+    if (callCount > 0) {
+        process.stderr.write(`AI verification: ${callCount} findings verified via Claude API\n`);
+    }
+    return buildScanResult(result.targetPath, updatedFiles, result.scanDurationMs, failOn);
+}
+//# sourceMappingURL=llm-verifier.js.map

package/dist/analysis/llm-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-verifier.js","sourceRoot":"","sources":["../../src/analysis/llm-verifier.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,2EAA2E;AAC3E,EAAE;AACF,2BAA2B;AAC3B,kDAAkD;AAClD,uDAAuD;AACvD,wEAAwE;AACxE,uDAAuD;AACvD,EAAE;AACF,sCAAsC;AACtC,0DAA0D;AAC1D,+DAA+D;AAE/D,OAAO,SAAS,MAAM,mBAAmB,CAAC;AAE1C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAgBtD,SAAS,WAAW,CAAC,OAAgB,EAAE,WAAqB;IAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;IAC/D,MAAM,OAAO,GAAG,WAAW,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC;SAClD,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,SAAS,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;SAC3C,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,OAAO;;QAED,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,MAAM;SAClC,OAAO,CAAC,KAAK,MAAM,OAAO,CAAC,GAAG;YAC3B,OAAO,CAAC,QAAQ;eACb,OAAO,CAAC,OAAO;;sBAER,SAAS,GAAG,CAAC,IAAI,OAAO;;EAE5C,OAAO;;;eAGM,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC,OAAO;;;;;;;;;;;;;EAa7C,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAAiB,EACjB,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC3C,KAAK,EAAE,mBAAmB;YAC1B,UAAU,EAAE,GAAG;YACf,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;SAC9C,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO;aACzB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC;aAChC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,CAAoC,CAAC,IAAI,CAAC;aACtD,IAAI,CAAC,EAAE,CAAC,CAAC;QAEZ,+DAA+D;QAC/D,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAE5B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAiB,CAAC;QACxD,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,SAAS;YAAE,OAAO,IAAI,CAAC;QACvD,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAAkB,EAClB,SAAgC,EAAE,0BAA0B;AAC5D,UAA8B,EAAE,EAChC,SAAsB,OAAO;IAE7B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAClE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wEAAwE,CAAC,CAAC;QAC/F,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,IAAI,WAAW,CAAC,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IACpE,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;IACxC,IAAI,SAAS,GAAG,CAAC,CAAC;IAElB,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CACpC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,UAAU,EAAE,EAAE;QACpC,MAAM,WAAW,GAAG,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC7D,MAAM,eAAe,GAAc,EAAE,CAAC;QAEtC,KAAK,MAAM,OAAO,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YAC1C,+CAA+C;YAC/C,IAAI,OAAO,CAAC,UAAU,KAAK,QAAQ,IAAI,OAAO,CAAC,cAAc,KAAK,OAAO,EAAE,CAAC;gBAC1E,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAC9B,SAAS;YACX,CAAC;YAED,oBAAoB;YACpB,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;YAC1D,IAAI,MAAM,EAAE,CAAC;gBACX,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;oBACrB,eAAe,CAAC,IAAI,CAAC;wBACnB,GAAG,OAAO;wBACV,UAAU,EAAE,MAAM,CAAC,UAAU;wBAC7B,cAAc,EAAE,KAAK;wBACrB,OAAO,EAAE,GAAG,OAAO,CAAC,OAAO,kBAAkB,MAAM,CAAC,MAAM,GAAG;qBAC9D,CAAC,CAAC;gBACL,CAAC;gBACD,0CAA0C;gBAC1C,SAAS;YACX,CAAC;YAED,aAAa;YACb,IAAI,SAAS,IAAI,QAAQ,EAAE,CAAC;gBAC1B,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,kBAAkB;gBACjD,SAAS;YACX,CAAC;YAED,cAAc;YACd,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;YACjD,MAAM,YAAY,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YACtD,SAAS,EAAE,CAAC;YAEZ,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,sBAAsB;gBACrD,SAAS;YACX,CAAC;YAED,mBAAmB;YACnB,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,EAAE;gBACzC,SAAS,EAAE,YAAY,CAAC,SAAS;gBACjC,UAAU,EAAE,YAAY,CAAC,UAAU;gBACnC,MAAM,EAAE,YAAY,CAAC,MAAM;gBAC3B,GAAG,EAAE,YAAY,CAAC,GAAG;aACtB,CAAC,CAAC;YAEH,IAAI,YAAY,CAAC,SAAS,EAAE,CAAC;gBAC3B,eAAe,CAAC,IAAI,CAAC;oBACnB,GAAG,OAAO;oBACV,UAAU,EAAE,YAAY,CAAC,UAAU;oBACnC,cAAc,EAAE,KAAK;oBACrB,OAAO,EAAE,GAAG,OAAO,CAAC,OAAO,kBAAkB,YAAY,CAAC,MAAM,GAAG;oBACnE,GAAG,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,YAAY,CAAC,GAAG,OAAO,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG;iBAC9E,CAAC,CAAC;YACL,CAAC;YACD,uBAAuB;QACzB,CAAC;QAED,OAAO,EAAE,GAAG,UAAU,EAAE,QAAQ,EAAE,eAAe,EAAE,CAAC;IACtD,CAAC,CAAC,CACH,CAAC;IAEF,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;QAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,SAAS,qCAAqC,CAAC,CAAC;IAC3F,CAAC;IAED,OAAO,eAAe,CAAC,MAAM,CAAC,UAAU,EAAE,YAAY,EAAE,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;AACzF,CAAC"}

package/dist/analysis/result-cache.d.ts

@@ -0,0 +1,20 @@
+export interface CacheEntry {
+    confirmed: boolean;
+    confidence: 'HIGH' | 'MEDIUM' | 'LOW';
+    reason: string;
+    fix?: string;
+    timestamp: number;
+}
+export declare class ResultCache {
+    private cacheFile;
+    private cache;
+    constructor(projectRoot: string);
+    private load;
+    private persist;
+    static hashKey(ruleId: string, snippet: string): string;
+    get(ruleId: string, snippet: string): CacheEntry | null;
+    set(ruleId: string, snippet: string, entry: Omit<CacheEntry, 'timestamp'>): void;
+    /** Remove expired entries and re-save */
+    prune(): void;
+}
+//# sourceMappingURL=result-cache.d.ts.map

package/dist/analysis/result-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"result-cache.d.ts","sourceRoot":"","sources":["../../src/analysis/result-cache.ts"],"names":[],"mappings":"AAUA,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;CACnB;AAKD,qBAAa,WAAW;IACtB,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,KAAK,CAA0B;gBAE3B,WAAW,EAAE,MAAM;IAK/B,OAAO,CAAC,IAAI;IAUZ,OAAO,CAAC,OAAO;IAYf,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM;IAIvD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI;IAYvD,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,GAAG,IAAI;IAMhF,yCAAyC;IACzC,KAAK,IAAI,IAAI;CAOd"}

package/dist/analysis/result-cache.js

@@ -0,0 +1,70 @@
+// ============================================================
+// Result Cache — hash-based caching for LLM verifier results
+// Stored in .owaspscan-cache.json in the project root
+// TTL: 24 hours per entry (re-verify if older)
+// ============================================================
+import fs from 'fs';
+import path from 'path';
+import crypto from 'crypto';
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
+const CACHE_FILENAME = '.owaspscan-cache.json';
+export class ResultCache {
+    cacheFile;
+    cache;
+    constructor(projectRoot) {
+        this.cacheFile = path.join(projectRoot, CACHE_FILENAME);
+        this.cache = this.load();
+    }
+    load() {
+        try {
+            const raw = fs.readFileSync(this.cacheFile, 'utf8');
+            const obj = JSON.parse(raw);
+            return new Map(Object.entries(obj));
+        }
+        catch {
+            return new Map();
+        }
+    }
+    persist() {
+        try {
+            const obj = {};
+            for (const [k, v] of this.cache.entries()) {
+                obj[k] = v;
+            }
+            fs.writeFileSync(this.cacheFile, JSON.stringify(obj, null, 2), 'utf8');
+        }
+        catch {
+            // Non-fatal — cache write failure doesn't break scanning
+        }
+    }
+    static hashKey(ruleId, snippet) {
+        return crypto.createHash('sha256').update(`${ruleId}:${snippet}`).digest('hex').slice(0, 32);
+    }
+    get(ruleId, snippet) {
+        const key = ResultCache.hashKey(ruleId, snippet);
+        const entry = this.cache.get(key);
+        if (!entry)
+            return null;
+        // Expire after TTL
+        if (Date.now() - entry.timestamp > CACHE_TTL_MS) {
+            this.cache.delete(key);
+            return null;
+        }
+        return entry;
+    }
+    set(ruleId, snippet, entry) {
+        const key = ResultCache.hashKey(ruleId, snippet);
+        this.cache.set(key, { ...entry, timestamp: Date.now() });
+        this.persist();
+    }
+    /** Remove expired entries and re-save */
+    prune() {
+        const now = Date.now();
+        for (const [key, entry] of this.cache.entries()) {
+            if (now - entry.timestamp > CACHE_TTL_MS)
+                this.cache.delete(key);
+        }
+        this.persist();
+    }
+}
+//# sourceMappingURL=result-cache.js.map

package/dist/analysis/result-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"result-cache.js","sourceRoot":"","sources":["../../src/analysis/result-cache.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,6DAA6D;AAC7D,sDAAsD;AACtD,+CAA+C;AAC/C,+DAA+D;AAE/D,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,MAAM,MAAM,QAAQ,CAAC;AAU5B,MAAM,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW;AACrD,MAAM,cAAc,GAAG,uBAAuB,CAAC;AAE/C,MAAM,OAAO,WAAW;IACd,SAAS,CAAS;IAClB,KAAK,CAA0B;IAEvC,YAAY,WAAmB;QAC7B,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC;QACxD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;IAC3B,CAAC;IAEO,IAAI;QACV,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,MAAM,CAAC,CAAC;YACpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA+B,CAAC;YAC1D,OAAO,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,GAAG,EAAE,CAAC;QACnB,CAAC;IACH,CAAC;IAEO,OAAO;QACb,IAAI,CAAC;YACH,MAAM,GAAG,GAA+B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;gBAC1C,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACb,CAAC;YACD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QACzE,CAAC;QAAC,MAAM,CAAC;YACP,yDAAyD;QAC3D,CAAC;IACH,CAAC;IAED,MAAM,CAAC,OAAO,CAAC,MAAc,EAAE,OAAe;QAC5C,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC/F,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,OAAe;QACjC,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACjD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QACxB,mBAAmB;QACnB,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,SAAS,GAAG,YAAY,EAAE,CAAC;YAChD,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,GAAG,CAAC,MAAc,EAAE,OAAe,EAAE,KAAoC;QACvE,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACjD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QACzD,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAED,yCAAyC;IACzC,KAAK;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;YAChD,IAAI,GAAG,GAAG,KAAK,CAAC,SAAS,GAAG,YAAY;gBAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF"}

package/dist/analysis/sinks.d.ts

@@ -0,0 +1,12 @@
+import type { OWASPCategory, Severity } from '../types/index.js';
+export interface SinkDef {
+    pattern: RegExp;
+    argPattern: RegExp;
+    ruleId: string;
+    owasp: OWASPCategory;
+    severity: Severity;
+    description: string;
+    languages: ('javascript' | 'typescript' | 'python')[];
+}
+export declare function getSinkPatterns(language: 'javascript' | 'typescript' | 'python'): SinkDef[];
+//# sourceMappingURL=sinks.d.ts.map

package/dist/analysis/sinks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sinks.d.ts","sourceRoot":"","sources":["../../src/analysis/sinks.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAEjE,MAAM,WAAW,OAAO;IAGtB,OAAO,EAAE,MAAM,CAAC;IAEhB,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,aAAa,CAAC;IACrB,QAAQ,EAAE,QAAQ,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,CAAC,YAAY,GAAG,YAAY,GAAG,QAAQ,CAAC,EAAE,CAAC;CACvD;AA0ID,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,YAAY,GAAG,YAAY,GAAG,QAAQ,GAC/C,OAAO,EAAE,CAGX"}

package/dist/analysis/sinks.js

@@ -0,0 +1,142 @@
+// ============================================================
+// Taint Sinks — dangerous functions where tainted data causes harm
+// ============================================================
+const JS_SINKS = [
+    // SQL injection sinks
+    {
+        pattern: /\.(?:query|execute|raw|run)\s*\(/g,
+        argPattern: /\.(?:query|execute|raw|run)\s*\(([^)]{0,300})\)/,
+        ruleId: 'OWASP-A03-001',
+        owasp: 'A03:2021',
+        severity: 'CRITICAL',
+        description: 'Tainted variable passed to SQL query function',
+        languages: ['javascript', 'typescript'],
+    },
+    // NoSQL injection
+    {
+        pattern: /\$where\s*:/g,
+        argPattern: /\$where\s*:\s*([^,}\n]{0,200})/,
+        ruleId: 'OWASP-A03-003',
+        owasp: 'A03:2021',
+        severity: 'HIGH',
+        description: 'Tainted variable used in NoSQL $where clause',
+        languages: ['javascript', 'typescript'],
+    },
+    // Command injection sinks
+    {
+        pattern: /(?:exec|execSync|spawn|spawnSync|execFile|system)\s*\(/g,
+        argPattern: /(?:exec|execSync|spawn|spawnSync|execFile|system)\s*\(([^)]{0,300})\)/,
+        ruleId: 'OWASP-A03-002',
+        owasp: 'A03:2021',
+        severity: 'CRITICAL',
+        description: 'Tainted variable passed to shell execution function',
+        languages: ['javascript', 'typescript'],
+    },
+    // SSRF sinks
+    {
+        pattern: /(?:fetch|axios\.get|axios\.post|http\.get|https\.get|request\.get)\s*\(/g,
+        argPattern: /(?:fetch|axios\.get|axios\.post|http\.get|https\.get|request\.get)\s*\(([^)]{0,300})\)/,
+        ruleId: 'OWASP-A10-001',
+        owasp: 'A10:2021',
+        severity: 'HIGH',
+        description: 'Tainted variable used in HTTP fetch (potential SSRF)',
+        languages: ['javascript', 'typescript'],
+    },
+    // XSS sinks
+    {
+        pattern: /(?:innerHTML|outerHTML|document\.write)\s*[=+(]/g,
+        argPattern: /(?:innerHTML|outerHTML|document\.write)\s*[=+(]\s*([^;\n]{0,200})/,
+        ruleId: 'OWASP-A03-004',
+        owasp: 'A03:2021',
+        severity: 'HIGH',
+        description: 'Tainted variable rendered as HTML (XSS)',
+        languages: ['javascript', 'typescript'],
+    },
+    // eval / Function constructor
+    {
+        pattern: /(?:eval|new Function)\s*\(/g,
+        argPattern: /(?:eval|new Function)\s*\(([^)]{0,300})\)/,
+        ruleId: 'OWASP-A08-001',
+        owasp: 'A08:2021',
+        severity: 'CRITICAL',
+        description: 'Tainted variable passed to eval() (code injection)',
+        languages: ['javascript', 'typescript'],
+    },
+    // Path traversal (fs operations with user input)
+    {
+        pattern: /(?:readFile|writeFile|unlink|readdir|stat|open)(?:Sync)?\s*\(/g,
+        argPattern: /(?:readFile|writeFile|unlink|readdir|stat|open)(?:Sync)?\s*\(([^)]{0,300})\)/,
+        ruleId: 'OWASP-A01-002',
+        owasp: 'A01:2021',
+        severity: 'HIGH',
+        description: 'Tainted variable used as file path (path traversal)',
+        languages: ['javascript', 'typescript'],
+    },
+];
+const PYTHON_SINKS = [
+    // SQL injection
+    {
+        pattern: /(?:execute|executemany|raw|cursor\.execute)\s*\(/g,
+        argPattern: /(?:execute|executemany|raw|cursor\.execute)\s*\(([^)]{0,300})\)/,
+        ruleId: 'OWASP-A03-001',
+        owasp: 'A03:2021',
+        severity: 'CRITICAL',
+        description: 'Tainted variable passed to SQL execute function',
+        languages: ['python'],
+    },
+    // Command injection
+    {
+        pattern: /(?:os\.system|subprocess\.(?:call|run|Popen|check_output)|commands\.getoutput)\s*\(/g,
+        argPattern: /(?:os\.system|subprocess\.(?:call|run|Popen|check_output)|commands\.getoutput)\s*\(([^)]{0,300})\)/,
+        ruleId: 'OWASP-A03-002',
+        owasp: 'A03:2021',
+        severity: 'CRITICAL',
+        description: 'Tainted variable passed to shell command (command injection)',
+        languages: ['python'],
+    },
+    // SSRF
+    {
+        pattern: /(?:requests\.(?:get|post|put|delete)|urllib\.request\.urlopen|urlopen)\s*\(/g,
+        argPattern: /(?:requests\.(?:get|post|put|delete)|urllib\.request\.urlopen|urlopen)\s*\(([^)]{0,300})\)/,
+        ruleId: 'OWASP-A10-001',
+        owasp: 'A10:2021',
+        severity: 'HIGH',
+        description: 'Tainted variable used in HTTP request (potential SSRF)',
+        languages: ['python'],
+    },
+    // eval / exec
+    {
+        pattern: /(?:^|\s)(?:eval|exec)\s*\(/gm,
+        argPattern: /(?:eval|exec)\s*\(([^)]{0,300})\)/,
+        ruleId: 'OWASP-A08-001',
+        owasp: 'A08:2021',
+        severity: 'CRITICAL',
+        description: 'Tainted variable passed to eval/exec (code injection)',
+        languages: ['python'],
+    },
+    // Template injection
+    {
+        pattern: /(?:render_template_string|Template)\s*\(/g,
+        argPattern: /(?:render_template_string|Template)\s*\(([^)]{0,300})\)/,
+        ruleId: 'OWASP-A03-005',
+        owasp: 'A03:2021',
+        severity: 'HIGH',
+        description: 'Tainted variable used in template (SSTI)',
+        languages: ['python'],
+    },
+    // Path traversal
+    {
+        pattern: /(?:open|os\.path\.join|pathlib\.Path)\s*\(/g,
+        argPattern: /(?:open|os\.path\.join|pathlib\.Path)\s*\(([^)]{0,300})\)/,
+        ruleId: 'OWASP-A01-002',
+        owasp: 'A01:2021',
+        severity: 'HIGH',
+        description: 'Tainted variable used as file path (path traversal)',
+        languages: ['python'],
+    },
+];
+export function getSinkPatterns(language) {
+    const all = [...JS_SINKS, ...PYTHON_SINKS];
+    return all.filter((s) => s.languages.includes(language));
+}
+//# sourceMappingURL=sinks.js.map

package/dist/analysis/sinks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sinks.js","sourceRoot":"","sources":["../../src/analysis/sinks.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,mEAAmE;AACnE,+DAA+D;AAiB/D,MAAM,QAAQ,GAAc;IAC1B,sBAAsB;IACtB;QACE,OAAO,EAAE,mCAAmC;QAC5C,UAAU,EAAE,iDAAiD;QAC7D,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+CAA+C;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,kBAAkB;IAClB;QACE,OAAO,EAAE,cAAc;QACvB,UAAU,EAAE,gCAAgC;QAC5C,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,8CAA8C;QAC3D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,0BAA0B;IAC1B;QACE,OAAO,EAAE,yDAAyD;QAClE,UAAU,EAAE,uEAAuE;QACnF,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qDAAqD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,aAAa;IACb;QACE,OAAO,EAAE,0EAA0E;QACnF,UAAU,EAAE,wFAAwF;QACpG,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sDAAsD;QACnE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,YAAY;IACZ;QACE,OAAO,EAAE,kDAAkD;QAC3D,UAAU,EAAE,mEAAmE;QAC/E,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,yCAAyC;QACtD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,8BAA8B;IAC9B;QACE,OAAO,EAAE,6BAA6B;QACtC,UAAU,EAAE,2CAA2C;QACvD,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,oDAAoD;QACjE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,iDAAiD;IACjD;QACE,OAAO,EAAE,gEAAgE;QACzE,UAAU,EAAE,8EAA8E;QAC1F,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qDAAqD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;CACF,CAAC;AAEF,MAAM,YAAY,GAAc;IAC9B,gBAAgB;IAChB;QACE,OAAO,EAAE,mDAAmD;QAC5D,UAAU,EAAE,iEAAiE;QAC7E,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iDAAiD;QAC9D,SAAS,EAAE,CAAC,QAAQ,CAAC;KACtB;IACD,oBAAoB;IACpB;QACE,OAAO,EAAE,sFAAsF;QAC/F,UAAU,EAAE,oGAAoG;QAChH,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,8DAA8D;QAC3E,SAAS,EAAE,CAAC,QAAQ,CAAC;KACtB;IACD,OAAO;IACP;QACE,OAAO,EAAE,8EAA8E;QACvF,UAAU,EAAE,4FAA4F;QACxG,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wDAAwD;QACrE,SAAS,EAAE,CAAC,QAAQ,CAAC;KACtB;IACD,cAAc;IACd;QACE,OAAO,EAAE,8BAA8B;QACvC,UAAU,EAAE,mCAAmC;QAC/C,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uDAAuD;QACpE,SAAS,EAAE,CAAC,QAAQ,CAAC;KACtB;IACD,qBAAqB;IACrB;QACE,OAAO,EAAE,2CAA2C;QACpD,UAAU,EAAE,yDAAyD;QACrE,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0CAA0C;QACvD,SAAS,EAAE,CAAC,QAAQ,CAAC;KACtB;IACD,iBAAiB;IACjB;QACE,OAAO,EAAE,6CAA6C;QACtD,UAAU,EAAE,2DAA2D;QACvE,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qDAAqD;QAClE,SAAS,EAAE,CAAC,QAAQ,CAAC;KACtB;CACF,CAAC;AAEF,MAAM,UAAU,eAAe,CAC7B,QAAgD;IAEhD,MAAM,GAAG,GAAG,CAAC,GAAG,QAAQ,EAAE,GAAG,YAAY,CAAC,CAAC;IAC3C,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/analysis/sources.d.ts

@@ -0,0 +1,8 @@
+export interface SourceDef {
+    pattern: RegExp;
+    description: string;
+    languages: ('javascript' | 'typescript' | 'python')[];
+}
+export declare function getSourcePatterns(language: 'javascript' | 'typescript' | 'python'): SourceDef[];
+export declare function extractTaintedVars(code: string, language: 'javascript' | 'typescript' | 'python'): Map<string, string>;
+//# sourceMappingURL=sources.d.ts.map

package/dist/analysis/sources.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sources.d.ts","sourceRoot":"","sources":["../../src/analysis/sources.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,SAAS;IAGxB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,CAAC,YAAY,GAAG,YAAY,GAAG,QAAQ,CAAC,EAAE,CAAC;CACvD;AAwFD,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,YAAY,GAAG,YAAY,GAAG,QAAQ,GAC/C,SAAS,EAAE,CAGb;AAGD,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,YAAY,GAAG,YAAY,GAAG,QAAQ,GAC/C,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAsBrB"}