@trust-assurance-protocol/owaspscan 1.0.0

package/dist/analysis/sources.js

@@ -0,0 +1,114 @@
+// ============================================================
+// Taint Sources — definitions of where user-controlled input enters
+// ============================================================
+// JavaScript / TypeScript taint sources
+const JS_SOURCES = [
+    // req.query.*, req.body.*, req.params.*
+    {
+        pattern: /(?:const|let|var)\s+(\w+)\s*=\s*req(?:uest)?\.(?:query|body|params)\b/g,
+        description: 'HTTP request query/body/params',
+        languages: ['javascript', 'typescript'],
+    },
+    // Destructured: const { id } = req.query
+    {
+        pattern: /(?:const|let|var)\s*\{([^}]+)\}\s*=\s*req(?:uest)?\.(?:query|body|params)\b/g,
+        description: 'Destructured HTTP request input',
+        languages: ['javascript', 'typescript'],
+    },
+    // req.query directly used (no assignment)
+    {
+        pattern: /(?:const|let|var)\s+(\w+)\s*=\s*req(?:uest)?\.(?:query|body|params)\.(\w+)/g,
+        description: 'HTTP request field',
+        languages: ['javascript', 'typescript'],
+    },
+    // process.argv
+    {
+        pattern: /(?:const|let|var)\s+(\w+)\s*=\s*process\.argv\b/g,
+        description: 'CLI argument input',
+        languages: ['javascript', 'typescript'],
+    },
+    // readFileSync / readFile with user-controlled path
+    {
+        pattern: /(?:const|let|var)\s+(\w+)\s*=\s*(?:fs\.)?readFileSync\s*\(/g,
+        description: 'File read result',
+        languages: ['javascript', 'typescript'],
+    },
+    // event.target.value (browser DOM)
+    {
+        pattern: /(?:const|let|var)\s+(\w+)\s*=\s*(?:event|e)\.target\.value\b/g,
+        description: 'DOM input value',
+        languages: ['javascript', 'typescript'],
+    },
+    // localStorage / sessionStorage
+    {
+        pattern: /(?:const|let|var)\s+(\w+)\s*=\s*(?:localStorage|sessionStorage)\.getItem\s*\(/g,
+        description: 'Browser storage value',
+        languages: ['javascript', 'typescript'],
+    },
+    // URLSearchParams
+    {
+        pattern: /(?:const|let|var)\s+(\w+)\s*=\s*(?:new URLSearchParams|searchParams\.get)\s*\(/g,
+        description: 'URL search param',
+        languages: ['javascript', 'typescript'],
+    },
+];
+// Python taint sources
+const PYTHON_SOURCES = [
+    // Flask: request.args.get, request.form.get, request.json
+    {
+        pattern: /(\w+)\s*=\s*request\.(?:args|form|json|values|data|files)(?:\.get\s*\(|\[)/g,
+        description: 'Flask HTTP request input',
+        languages: ['python'],
+    },
+    // Django: request.GET, request.POST, request.body
+    {
+        pattern: /(\w+)\s*=\s*request\.(?:GET|POST|body|data)\s*(?:\.get\s*\(|\[)/g,
+        description: 'Django HTTP request input',
+        languages: ['python'],
+    },
+    // input() function
+    {
+        pattern: /(\w+)\s*=\s*input\s*\(/g,
+        description: 'User terminal input',
+        languages: ['python'],
+    },
+    // sys.argv
+    {
+        pattern: /(\w+)\s*=\s*sys\.argv\b/g,
+        description: 'CLI argument input',
+        languages: ['python'],
+    },
+    // FastAPI / path param
+    {
+        pattern: /async\s+def\s+\w+\s*\([^)]*(\w+)\s*:/g,
+        description: 'FastAPI route parameter',
+        languages: ['python'],
+    },
+];
+export function getSourcePatterns(language) {
+    const all = [...JS_SOURCES, ...PYTHON_SOURCES];
+    return all.filter((s) => s.languages.includes(language));
+}
+// Extract tainted variable names from a block of code
+export function extractTaintedVars(code, language) {
+    const tainted = new Map(); // varName → source description
+    const sources = getSourcePatterns(language);
+    for (const source of sources) {
+        // Reset lastIndex for global regexes
+        source.pattern.lastIndex = 0;
+        let match;
+        while ((match = source.pattern.exec(code)) !== null) {
+            // For destructured: capture group 1 might be "id, name" — split and add all
+            const captured = match[1] ?? '';
+            const varNames = captured.split(',').map((v) => v.trim().split(':')[0].trim());
+            for (const v of varNames) {
+                if (v && /^\w+$/.test(v)) {
+                    tainted.set(v, source.description);
+                }
+            }
+        }
+        source.pattern.lastIndex = 0;
+    }
+    return tainted;
+}
+//# sourceMappingURL=sources.js.map

package/dist/analysis/sources.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sources.js","sourceRoot":"","sources":["../../src/analysis/sources.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,oEAAoE;AACpE,+DAA+D;AAU/D,wCAAwC;AACxC,MAAM,UAAU,GAAgB;IAC9B,wCAAwC;IACxC;QACE,OAAO,EAAE,wEAAwE;QACjF,WAAW,EAAE,gCAAgC;QAC7C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,yCAAyC;IACzC;QACE,OAAO,EAAE,8EAA8E;QACvF,WAAW,EAAE,iCAAiC;QAC9C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,0CAA0C;IAC1C;QACE,OAAO,EAAE,6EAA6E;QACtF,WAAW,EAAE,oBAAoB;QACjC,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,eAAe;IACf;QACE,OAAO,EAAE,kDAAkD;QAC3D,WAAW,EAAE,oBAAoB;QACjC,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,oDAAoD;IACpD;QACE,OAAO,EAAE,6DAA6D;QACtE,WAAW,EAAE,kBAAkB;QAC/B,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,mCAAmC;IACnC;QACE,OAAO,EAAE,+DAA+D;QACxE,WAAW,EAAE,iBAAiB;QAC9B,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,gCAAgC;IAChC;QACE,OAAO,EAAE,gFAAgF;QACzF,WAAW,EAAE,uBAAuB;QACpC,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;IACD,kBAAkB;IAClB;QACE,OAAO,EAAE,iFAAiF;QAC1F,WAAW,EAAE,kBAAkB;QAC/B,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;KACxC;CACF,CAAC;AAEF,uBAAuB;AACvB,MAAM,cAAc,GAAgB;IAClC,0DAA0D;IAC1D;QACE,OAAO,EAAE,6EAA6E;QACtF,WAAW,EAAE,0BAA0B;QACvC,SAAS,EAAE,CAAC,QAAQ,CAAC;KACtB;IACD,kDAAkD;IAClD;QACE,OAAO,EAAE,kEAAkE;QAC3E,WAAW,EAAE,2BAA2B;QACxC,SAAS,EAAE,CAAC,QAAQ,CAAC;KACtB;IACD,mBAAmB;IACnB;QACE,OAAO,EAAE,yBAAyB;QAClC,WAAW,EAAE,qBAAqB;QAClC,SAAS,EAAE,CAAC,QAAQ,CAAC;KACtB;IACD,WAAW;IACX;QACE,OAAO,EAAE,0BAA0B;QACnC,WAAW,EAAE,oBAAoB;QACjC,SAAS,EAAE,CAAC,QAAQ,CAAC;KACtB;IACD,uBAAuB;IACvB;QACE,OAAO,EAAE,uCAAuC;QAChD,WAAW,EAAE,yBAAyB;QACtC,SAAS,EAAE,CAAC,QAAQ,CAAC;KACtB;CACF,CAAC;AAEF,MAAM,UAAU,iBAAiB,CAC/B,QAAgD;IAEhD,MAAM,GAAG,GAAG,CAAC,GAAG,UAAU,EAAE,GAAG,cAAc,CAAC,CAAC;IAC/C,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED,sDAAsD;AACtD,MAAM,UAAU,kBAAkB,CAChC,IAAY,EACZ,QAAgD;IAEhD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,+BAA+B;IAC1E,MAAM,OAAO,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAE5C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,qCAAqC;QACrC,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAC7B,IAAI,KAA6B,CAAC;QAClC,OAAO,CAAC,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACpD,4EAA4E;YAC5E,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAChC,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,IAAI,EAAE,CAAC,CAAC;YAChF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,IAAI,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;oBACzB,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;gBACrC,CAAC;YACH,CAAC;QACH,CAAC;QACD,MAAM,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/analysis/taint-engine.d.ts

@@ -0,0 +1,5 @@
+import type { Finding, Rule } from '../types/index.js';
+type TaintLanguage = 'javascript' | 'typescript' | 'python';
+export declare function analyzeTaint(code: string, language: TaintLanguage, filePath: string, rules: Rule[]): Finding[];
+export {};
+//# sourceMappingURL=taint-engine.d.ts.map

package/dist/analysis/taint-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint-engine.d.ts","sourceRoot":"","sources":["../../src/analysis/taint-engine.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAMvD,KAAK,aAAa,GAAG,YAAY,GAAG,YAAY,GAAG,QAAQ,CAAC;AAgI5D,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,aAAa,EACvB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,IAAI,EAAE,GACZ,OAAO,EAAE,CA6EX"}

package/dist/analysis/taint-engine.js

@@ -0,0 +1,187 @@
+// ============================================================
+// Taint Engine — intra-procedural data flow / taint analysis
+//
+// Strategy:
+//   1. Extract taint sources (variables assigned from user input)
+//   2. Propagate taint through assignment chains within the same scope
+//   3. Detect tainted variables reaching dangerous sinks
+//
+// Limitation: intra-procedural only (single file / function scope).
+// Inter-procedural taint (across function calls) is not tracked.
+// ============================================================
+import { extractTaintedVars } from './sources.js';
+import { getSinkPatterns } from './sinks.js';
+import { isSuppressed } from '../utils/suppression.js';
+import { registry } from '../rules/registry.js';
+// Propagate taint through assignment statements.
+// e.g. if userId is tainted and we see: const q = userId + " extra",
+// then q becomes tainted too.
+function propagateTaint(code, tainted, language) {
+    const lines = code.split('\n');
+    let changed = true;
+    // Keep iterating until no new variables become tainted (fixed-point)
+    let iterations = 0;
+    while (changed && iterations < 10) {
+        changed = false;
+        iterations++;
+        for (const line of lines) {
+            const trimmed = line.trim();
+            // Skip comment lines
+            if (trimmed.startsWith('//') ||
+                trimmed.startsWith('#') ||
+                trimmed.startsWith('*') ||
+                trimmed.startsWith('/*')) {
+                continue;
+            }
+            // JavaScript/TypeScript assignment: const/let/var varName = ... taintedVar ...
+            if (language === 'javascript' || language === 'typescript') {
+                const assignMatch = /(?:const|let|var)\s+(\w+)\s*=\s*(.+)/.exec(trimmed);
+                if (assignMatch) {
+                    const newVar = assignMatch[1];
+                    const rhs = assignMatch[2];
+                    if (!tainted.has(newVar)) {
+                        for (const [taintedVar] of tainted) {
+                            // Check if the tainted variable appears in the RHS
+                            if (new RegExp(`\\b${taintedVar}\\b`).test(rhs)) {
+                                tainted.set(newVar, `derived from ${taintedVar}`);
+                                changed = true;
+                                break;
+                            }
+                        }
+                    }
+                }
+                // Simple reassignment: varName = ... taintedVar ...
+                const reassignMatch = /^(\w+)\s*=\s*(.+)/.exec(trimmed);
+                if (reassignMatch && !['if', 'while', 'for', 'return', 'const', 'let', 'var'].includes(reassignMatch[1])) {
+                    const newVar = reassignMatch[1];
+                    const rhs = reassignMatch[2];
+                    if (!tainted.has(newVar)) {
+                        for (const [taintedVar] of tainted) {
+                            if (new RegExp(`\\b${taintedVar}\\b`).test(rhs)) {
+                                tainted.set(newVar, `derived from ${taintedVar}`);
+                                changed = true;
+                                break;
+                            }
+                        }
+                    }
+                }
+                // Template literal assignment: const q = `... ${taintedVar} ...`
+                const templateMatch = /(?:const|let|var)\s+(\w+)\s*=\s*`([^`]*)`;?/.exec(trimmed);
+                if (templateMatch) {
+                    const newVar = templateMatch[1];
+                    const template = templateMatch[2];
+                    if (!tainted.has(newVar)) {
+                        for (const [taintedVar] of tainted) {
+                            if (template.includes(`\${${taintedVar}}`)) {
+                                tainted.set(newVar, `derived from ${taintedVar} (template)`);
+                                changed = true;
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+            // Python assignment: varName = ... taintedVar ...
+            if (language === 'python') {
+                const assignMatch = /^(\w+)\s*=\s*(.+)/.exec(trimmed);
+                if (assignMatch && !['if', 'while', 'for', 'return', 'def', 'class', 'import'].includes(assignMatch[1])) {
+                    const newVar = assignMatch[1];
+                    const rhs = assignMatch[2];
+                    if (!tainted.has(newVar)) {
+                        for (const [taintedVar] of tainted) {
+                            if (new RegExp(`\\b${taintedVar}\\b`).test(rhs)) {
+                                tainted.set(newVar, `derived from ${taintedVar}`);
+                                changed = true;
+                                break;
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+}
+// Check if a sink's argument string contains a tainted variable
+function sinkArgContainsTainted(argStr, tainted) {
+    for (const [taintedVar] of tainted) {
+        if (new RegExp(`\\b${taintedVar}\\b`).test(argStr)) {
+            return taintedVar;
+        }
+    }
+    return null;
+}
+// Get line number (1-based) for a character offset in source
+function getLineNumber(source, offset) {
+    return source.slice(0, offset).split('\n').length;
+}
+// Get line content at a given 1-based line number
+function getLineContent(lines, lineNum) {
+    return lines[lineNum - 1] ?? '';
+}
+export function analyzeTaint(code, language, filePath, rules) {
+    const findings = [];
+    // Build the set of rule IDs we're scanning for
+    const activeRuleIds = new Set(rules.map((r) => r.id));
+    // Step 1: Extract initial taint sources
+    const tainted = extractTaintedVars(code, language);
+    // Step 2: Propagate taint through assignments
+    propagateTaint(code, tainted, language);
+    if (tainted.size === 0) {
+        return findings; // Nothing tainted — no need to check sinks
+    }
+    // Step 3: Check sinks
+    const sinks = getSinkPatterns(language);
+    const lines = code.split('\n');
+    for (const sink of sinks) {
+        // Skip sinks whose rule isn't in the active rule set
+        if (!activeRuleIds.has(sink.ruleId))
+            continue;
+        // Find the rule definition
+        const rule = registry.getById(sink.ruleId);
+        if (!rule)
+            continue;
+        // Reset lastIndex
+        sink.pattern.lastIndex = 0;
+        let match;
+        while ((match = sink.pattern.exec(code)) !== null) {
+            const offset = match.index;
+            const lineNum = getLineNumber(code, offset);
+            // Check suppression
+            if (isSuppressed(lines, lineNum - 1, sink.ruleId))
+                continue;
+            // Extract the argument to the sink call
+            const lineContent = getLineContent(lines, lineNum);
+            const argMatch = sink.argPattern.exec(lineContent);
+            const argStr = argMatch ? argMatch[1] ?? '' : lineContent;
+            // Check if the arg contains a tainted variable
+            const taintedVar = sinkArgContainsTainted(argStr, tainted);
+            if (taintedVar !== null) {
+                const sourceDesc = tainted.get(taintedVar) ?? 'user input';
+                const taintPath = [
+                    `Source: '${taintedVar}' from ${sourceDesc}`,
+                    `Sink: line ${lineNum} — ${sink.description}`,
+                ];
+                findings.push({
+                    ruleId: sink.ruleId,
+                    ruleName: rule.name,
+                    owasp: sink.owasp,
+                    cwe: rule.cwe,
+                    severity: sink.severity,
+                    filePath,
+                    line: lineNum,
+                    column: 1,
+                    snippet: lineContent.trim(),
+                    message: `[TAINT] ${sink.description} — variable '${taintedVar}' originates from ${sourceDesc}`,
+                    fix: rule.fix,
+                    references: rule.references,
+                    confidence: 'HIGH',
+                    analysisMethod: 'taint',
+                    taintPath,
+                });
+            }
+        }
+        sink.pattern.lastIndex = 0;
+    }
+    return findings;
+}
+//# sourceMappingURL=taint-engine.js.map

package/dist/analysis/taint-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"taint-engine.js","sourceRoot":"","sources":["../../src/analysis/taint-engine.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,6DAA6D;AAC7D,EAAE;AACF,YAAY;AACZ,kEAAkE;AAClE,uEAAuE;AACvE,yDAAyD;AACzD,EAAE;AACF,oEAAoE;AACpE,iEAAiE;AACjE,+DAA+D;AAG/D,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AAClD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAIhD,iDAAiD;AACjD,qEAAqE;AACrE,8BAA8B;AAC9B,SAAS,cAAc,CACrB,IAAY,EACZ,OAA4B,EAC5B,QAAuB;IAEvB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,OAAO,GAAG,IAAI,CAAC;IAEnB,qEAAqE;IACrE,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,OAAO,OAAO,IAAI,UAAU,GAAG,EAAE,EAAE,CAAC;QAClC,OAAO,GAAG,KAAK,CAAC;QAChB,UAAU,EAAE,CAAC;QAEb,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;YAE5B,qBAAqB;YACrB,IACE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;gBACxB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBACvB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;gBACvB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EACxB,CAAC;gBACD,SAAS;YACX,CAAC;YAED,+EAA+E;YAC/E,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;gBAC3D,MAAM,WAAW,GAAG,sCAAsC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACzE,IAAI,WAAW,EAAE,CAAC;oBAChB,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAE,CAAC;oBAC/B,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,CAAE,CAAC;oBAE5B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;wBACzB,KAAK,MAAM,CAAC,UAAU,CAAC,IAAI,OAAO,EAAE,CAAC;4BACnC,mDAAmD;4BACnD,IAAI,IAAI,MAAM,CAAC,MAAM,UAAU,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gCAChD,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,gBAAgB,UAAU,EAAE,CAAC,CAAC;gCAClD,OAAO,GAAG,IAAI,CAAC;gCACf,MAAM;4BACR,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,oDAAoD;gBACpD,MAAM,aAAa,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACxD,IAAI,aAAa,IAAI,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAE,CAAC,EAAE,CAAC;oBAC1G,MAAM,MAAM,GAAG,aAAa,CAAC,CAAC,CAAE,CAAC;oBACjC,MAAM,GAAG,GAAG,aAAa,CAAC,CAAC,CAAE,CAAC;oBAC9B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;wBACzB,KAAK,MAAM,CAAC,UAAU,CAAC,IAAI,OAAO,EAAE,CAAC;4BACnC,IAAI,IAAI,MAAM,CAAC,MAAM,UAAU,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gCAChD,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,gBAAgB,UAAU,EAAE,CAAC,CAAC;gCAClD,OAAO,GAAG,IAAI,CAAC;gCACf,MAAM;4BACR,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,iEAAiE;gBACjE,MAAM,aAAa,GAAG,6CAA6C,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAClF,IAAI,aAAa,EAAE,CAAC;oBAClB,MAAM,MAAM,GAAG,aAAa,CAAC,CAAC,CAAE,CAAC;oBACjC,MAAM,QAAQ,GAAG,aAAa,CAAC,CAAC,CAAE,CAAC;oBACnC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;wBACzB,KAAK,MAAM,CAAC,UAAU,CAAC,IAAI,OAAO,EAAE,CAAC;4BACnC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,UAAU,GAAG,CAAC,EAAE,CAAC;gCAC3C,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,gBAAgB,UAAU,aAAa,CAAC,CAAC;gCAC7D,OAAO,GAAG,IAAI,CAAC;gCACf,MAAM;4BACR,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,kDAAkD;YAClD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAC1B,MAAM,WAAW,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACtD,IAAI,WAAW,IAAI,CAAC,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAE,CAAC,EAAE,CAAC;oBACzG,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAE,CAAC;oBAC/B,MAAM,GAAG,GAAG,WAAW,CAAC,CAAC,CAAE,CAAC;oBAC5B,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;wBACzB,KAAK,MAAM,CAAC,UAAU,CAAC,IAAI,OAAO,EAAE,CAAC;4BACnC,IAAI,IAAI,MAAM,CAAC,MAAM,UAAU,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gCAChD,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,gBAAgB,UAAU,EAAE,CAAC,CAAC;gCAClD,OAAO,GAAG,IAAI,CAAC;gCACf,MAAM;4BACR,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,gEAAgE;AAChE,SAAS,sBAAsB,CAC7B,MAAc,EACd,OAA4B;IAE5B,KAAK,MAAM,CAAC,UAAU,CAAC,IAAI,OAAO,EAAE,CAAC;QACnC,IAAI,IAAI,MAAM,CAAC,MAAM,UAAU,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACnD,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,6DAA6D;AAC7D,SAAS,aAAa,CAAC,MAAc,EAAE,MAAc;IACnD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;AACpD,CAAC;AAED,kDAAkD;AAClD,SAAS,cAAc,CAAC,KAAe,EAAE,OAAe;IACtD,OAAO,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,YAAY,CAC1B,IAAY,EACZ,QAAuB,EACvB,QAAgB,EAChB,KAAa;IAEb,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,+CAA+C;IAC/C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAEtD,wCAAwC;IACxC,MAAM,OAAO,GAAG,kBAAkB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAEnD,8CAA8C;IAC9C,cAAc,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAExC,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,QAAQ,CAAC,CAAC,2CAA2C;IAC9D,CAAC;IAED,sBAAsB;IACtB,MAAM,KAAK,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,qDAAqD;QACrD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC;YAAE,SAAS;QAE9C,2BAA2B;QAC3B,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,kBAAkB;QAClB,IAAI,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAC3B,IAAI,KAA6B,CAAC;QAElC,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAClD,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC;YAC3B,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAE5C,oBAAoB;YACpB,IAAI,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC;gBAAE,SAAS;YAE5D,wCAAwC;YACxC,MAAM,WAAW,GAAG,cAAc,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACnD,MAAM,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;YAE1D,+CAA+C;YAC/C,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAE3D,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;gBACxB,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,YAAY,CAAC;gBAC3D,MAAM,SAAS,GAAG;oBAChB,YAAY,UAAU,UAAU,UAAU,EAAE;oBAC5C,cAAc,OAAO,MAAM,IAAI,CAAC,WAAW,EAAE;iBAC9C,CAAC;gBAEF,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,QAAQ,EAAE,IAAI,CAAC,IAAI;oBACnB,KAAK,EAAE,IAAI,CAAC,KAAK;oBACjB,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ;oBACR,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,CAAC;oBACT,OAAO,EAAE,WAAW,CAAC,IAAI,EAAE;oBAC3B,OAAO,EAAE,WAAW,IAAI,CAAC,WAAW,gBAAgB,UAAU,qBAAqB,UAAU,EAAE;oBAC/F,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,OAAO;oBACvB,SAAS;iBACV,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/cli/index.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":""}

package/dist/cli/index.js

@@ -0,0 +1,227 @@
+#!/usr/bin/env node
+// ============================================================
+// OWASPScan CLI — Professional OWASP Security Auditor
+// ============================================================
+import { Command } from 'commander';
+import path from 'path';
+import process from 'process';
+import { scanDirectory, scanCode, registry } from '../scanner/engine.js';
+import { reportConsole } from '../reporter/console.js';
+import { reportJson } from '../reporter/json.js';
+import { reportSarif } from '../reporter/sarif.js';
+import { reportLlm } from '../reporter/llm.js';
+import { filterScanResultByConfidence } from '../utils/scoring.js';
+import { loadConfig } from '../config/loader.js';
+import { verifyFindings } from '../analysis/llm-verifier.js';
+import { readFileSafe } from '../scanner/file-walker.js';
+const VERSION = '1.0.0';
+const program = new Command();
+program
+    .name('owaspscan')
+    .description('OWASPScan — Security code auditor covering OWASP Top 10 + LLM Top 10.\n' +
+    'Detects security vulnerabilities in AI-generated and human-written code.')
+    .version(VERSION, '-v, --version');
+// ─── Scan command (default) ───────────────────────────────────────────────
+program
+    .command('scan [target]', { isDefault: true })
+    .description('Scan a file or directory for security vulnerabilities')
+    .option('-r, --rules <categories>', 'Comma-separated OWASP categories to check (e.g. A01,A03,LLM01)')
+    .option('-f, --format <format>', 'Output format: console, json, sarif, llm')
+    .option('--fail-on <severity>', 'Exit code 1 if findings at this severity or above: critical, high, medium, low, never')
+    .option('--no-recursive', 'Do not scan subdirectories recursively')
+    .option('--exclude <patterns>', 'Comma-separated glob patterns to exclude')
+    .option('--verbose', 'Show fix suggestions and references for each finding')
+    .option('--no-color', 'Disable colored output', false)
+    .option('--max-findings <n>', 'Stop scanning after N findings', parseInt)
+    .option('--min-confidence <level>', 'Minimum confidence level to report: HIGH, MEDIUM, LOW')
+    .option('--sca', 'Run SCA dependency scanning against OSV CVE database')
+    .option('--ai-verify', 'Use Claude AI to verify low-confidence findings (requires ANTHROPIC_API_KEY)')
+    .option('--ai-verify-limit <n>', 'Max Claude API calls per scan (default: 50)', parseInt)
+    .option('--config <path>', 'Path to owaspscan.config.json (auto-discovered if not set)')
+    .option('--mcp', 'Start as MCP server instead of scanning')
+    .action(async (target, options) => {
+    // MCP server mode
+    if (options.mcp) {
+        await import('../mcp/server.js');
+        return;
+    }
+    const targetPath = target ? path.resolve(target) : process.cwd();
+    // Load config file, then override with explicitly-set CLI flags only
+    // Undefined CLI options fall back to config file, which falls back to defaults
+    const cfg = loadConfig({
+        rules: options.rules ? options.rules.split(',').map((r) => r.trim()).filter(Boolean) : undefined,
+        exclude: options.exclude ? options.exclude.split(',').map((e) => e.trim()).filter(Boolean) : undefined,
+        failOn: options.failOn,
+        format: options.format,
+        verbose: options.verbose,
+        minConfidence: options.minConfidence
+            ? options.minConfidence.toUpperCase()
+            : undefined,
+        sca: options.sca,
+        aiVerify: options.aiVerify,
+        aiVerifyLimit: options.aiVerifyLimit,
+    }, options.config, path.dirname(targetPath));
+    const format = cfg.format;
+    const failOn = cfg.failOn;
+    const rules = cfg.rules.length > 0 ? cfg.rules : undefined;
+    const exclude = cfg.exclude.length > 0 ? cfg.exclude : undefined;
+    const noColor = !options.color;
+    const minConfidence = cfg.minConfidence;
+    if (!['HIGH', 'MEDIUM', 'LOW'].includes(minConfidence)) {
+        process.stderr.write(`Invalid minConfidence: ${minConfidence}. Must be: HIGH, MEDIUM, LOW\n`);
+        process.exit(1);
+    }
+    // Validate format
+    if (!['console', 'json', 'sarif', 'llm'].includes(format)) {
+        process.stderr.write(`Invalid format: ${format}. Must be: console, json, sarif, llm\n`);
+        process.exit(1);
+    }
+    // Validate failOn
+    if (!['critical', 'high', 'medium', 'low', 'never'].includes(failOn)) {
+        process.stderr.write(`Invalid --fail-on value: ${failOn}. Must be: critical, high, medium, low, never\n`);
+        process.exit(1);
+    }
+    if (format === 'console' && !noColor) {
+        const totalRules = registry.size();
+        const coreCount = registry.coreRuleCount;
+        const proCount = totalRules - coreCount;
+        const rulesLabel = proCount > 0
+            ? `${coreCount} (core) + ${proCount} (pro) = ${totalRules} total`
+            : `${coreCount} rules (core)`;
+        process.stdout.write(`\nOWASPScan v${VERSION} — Scanning ${targetPath}\n`);
+        process.stdout.write(`Rules: ${rules?.join(', ') ?? rulesLabel} | Format: ${format} | Fail-on: ${failOn}\n`);
+    }
+    let progressInterval;
+    let lastProgress = '';
+    if (format === 'console') {
+        progressInterval = setInterval(() => {
+            if (lastProgress) {
+                process.stderr.write(`\r  Scanning: ${lastProgress.slice(-60)}  `);
+            }
+        }, 200);
+    }
+    try {
+        const result = await scanDirectory(targetPath, {
+            rules,
+            exclude,
+            recursive: options.recursive,
+            failOn,
+            verbose: cfg.verbose,
+            maxFindings: options.maxFindings,
+            sca: cfg.sca,
+        }, (_current, _total, filePath) => {
+            lastProgress = filePath;
+        });
+        if (progressInterval) {
+            clearInterval(progressInterval);
+            process.stderr.write('\r' + ' '.repeat(80) + '\r');
+        }
+        // AI verification (opt-in): verify MEDIUM-confidence regex findings via Claude
+        let verifiedResult = result;
+        if (cfg.aiVerify || options.aiVerify) {
+            const sourceMap = new Map();
+            for (const fileResult of result.files) {
+                const content = readFileSafe(fileResult.filePath);
+                if (content)
+                    sourceMap.set(fileResult.filePath, content.split('\n'));
+            }
+            verifiedResult = await verifyFindings(result, sourceMap, {
+                maxCalls: options.aiVerifyLimit ?? cfg.aiVerifyLimit,
+                projectRoot: targetPath,
+            }, failOn);
+        }
+        // Apply confidence filter if requested
+        const filteredResult = minConfidence !== 'LOW'
+            ? filterScanResultByConfidence(verifiedResult, minConfidence, failOn)
+            : verifiedResult;
+        switch (format) {
+            case 'json':
+                process.stdout.write(reportJson(filteredResult) + '\n');
+                break;
+            case 'sarif':
+                process.stdout.write(reportSarif(filteredResult) + '\n');
+                break;
+            case 'llm':
+                process.stdout.write(reportLlm(filteredResult) + '\n');
+                break;
+            case 'console':
+            default:
+                reportConsole(filteredResult, {
+                    verbose: cfg.verbose,
+                    noColor,
+                    showFix: cfg.verbose,
+                });
+                break;
+        }
+        // Exit code based on fail-on threshold
+        if (!filteredResult.passed) {
+            process.exit(1);
+        }
+    }
+    catch (err) {
+        if (progressInterval)
+            clearInterval(progressInterval);
+        process.stderr.write(`Error: ${String(err)}\n`);
+        process.exit(2);
+    }
+});
+// ─── Rules command — list all available rules ─────────────────────────────
+program
+    .command('rules')
+    .description('List all available security rules')
+    .option('--category <category>', 'Filter by OWASP category (e.g. A01, LLM01, EXTRA)')
+    .option('--severity <severity>', 'Filter by severity (CRITICAL, HIGH, MEDIUM, LOW, INFO)')
+    .option('--json', 'Output as JSON')
+    .action((options) => {
+    let rules = registry.getAll();
+    if (options.category) {
+        rules = registry.filterByCategories([options.category]);
+    }
+    if (options.severity) {
+        const sevOrder = { CRITICAL: 5, HIGH: 4, MEDIUM: 3, LOW: 2, INFO: 1 };
+        const minSev = sevOrder[options.severity.toUpperCase()] ?? 0;
+        rules = rules.filter((r) => (sevOrder[r.severity] ?? 0) >= minSev);
+    }
+    if (options.json) {
+        process.stdout.write(JSON.stringify(rules, null, 2) + '\n');
+        return;
+    }
+    process.stdout.write(`\nOWASPScan — ${rules.length} security rules\n\n`);
+    for (const rule of rules) {
+        process.stdout.write(`  [${rule.severity.padEnd(8)}] ${rule.id.padEnd(20)} ${rule.owasp.padEnd(12)} ${rule.name}\n`);
+    }
+    process.stdout.write('\n');
+});
+// ─── Check command — scan a code snippet from stdin ───────────────────────
+program
+    .command('check')
+    .description('Scan code from stdin (pipe code into owaspscan check --lang typescript)')
+    .requiredOption('--lang <language>', 'Language of the code (javascript, typescript, python, java, go, php, ruby)')
+    .option('--format <format>', 'Output format', 'console')
+    .option('--no-color', 'Disable color output')
+    .action(async (options) => {
+    const chunks = [];
+    for await (const chunk of process.stdin) {
+        chunks.push(chunk);
+    }
+    const code = Buffer.concat(chunks).toString('utf8');
+    if (!code.trim()) {
+        process.stderr.write('No code received on stdin.\n');
+        process.exit(1);
+    }
+    const result = await scanCode(code, options.lang, '<stdin>');
+    switch (options.format) {
+        case 'json':
+            process.stdout.write(reportJson(result) + '\n');
+            break;
+        case 'llm':
+            process.stdout.write(reportLlm(result) + '\n');
+            break;
+        default:
+            reportConsole(result, { verbose: true, noColor: !options.color, showFix: true });
+    }
+    if (!result.passed)
+        process.exit(1);
+});
+program.parse(process.argv);
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA,+DAA+D;AAC/D,sDAAsD;AACtD,+DAA+D;AAE/D,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,OAAO,MAAM,SAAS,CAAC;AAE9B,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,OAAO,EAAE,4BAA4B,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,YAAY,EAAE,MAAM,2BAA2B,CAAC;AAGzD,MAAM,OAAO,GAAG,OAAO,CAAC;AAExB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,WAAW,CAAC;KACjB,WAAW,CACV,yEAAyE;IACzE,0EAA0E,CAC3E;KACA,OAAO,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;AAErC,6EAA6E;AAC7E,OAAO;KACJ,OAAO,CAAC,eAAe,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;KAC7C,WAAW,CAAC,uDAAuD,CAAC;KACpE,MAAM,CAAC,0BAA0B,EAAE,gEAAgE,CAAC;KACpG,MAAM,CAAC,uBAAuB,EAAE,0CAA0C,CAAC;KAC3E,MAAM,CAAC,sBAAsB,EAAE,uFAAuF,CAAC;KACvH,MAAM,CAAC,gBAAgB,EAAE,wCAAwC,CAAC;KAClE,MAAM,CAAC,sBAAsB,EAAE,0CAA0C,CAAC;KAC1E,MAAM,CAAC,WAAW,EAAE,sDAAsD,CAAC;KAC3E,MAAM,CAAC,YAAY,EAAE,wBAAwB,EAAE,KAAK,CAAC;KACrD,MAAM,CAAC,oBAAoB,EAAE,gCAAgC,EAAE,QAAQ,CAAC;KACxE,MAAM,CAAC,0BAA0B,EAAE,uDAAuD,CAAC;KAC3F,MAAM,CAAC,OAAO,EAAE,sDAAsD,CAAC;KACvE,MAAM,CAAC,aAAa,EAAE,8EAA8E,CAAC;KACrG,MAAM,CAAC,uBAAuB,EAAE,6CAA6C,EAAE,QAAQ,CAAC;KACxF,MAAM,CAAC,iBAAiB,EAAE,4DAA4D,CAAC;KACvF,MAAM,CAAC,OAAO,EAAE,yCAAyC,CAAC;KAC1D,MAAM,CAAC,KAAK,EAAE,MAA0B,EAAE,OAe1C,EAAE,EAAE;IACH,kBAAkB;IAClB,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;QACjC,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;IAEjE,qEAAqE;IACrE,+EAA+E;IAC/E,MAAM,GAAG,GAAG,UAAU,CACpB;QACE,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS;QAChG,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS;QACtG,MAAM,EAAE,OAAO,CAAC,MAAiC;QACjD,MAAM,EAAE,OAAO,CAAC,MAAkC;QAClD,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,aAAa,EAAE,OAAO,CAAC,aAAa;YAClC,CAAC,CAAE,OAAO,CAAC,aAAa,CAAC,WAAW,EAAiB;YACrD,CAAC,CAAC,SAAS;QACb,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,aAAa,EAAE,OAAO,CAAC,aAAa;KACrC,EACD,OAAO,CAAC,MAAM,EACd,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CACzB,CAAC;IAEF,MAAM,MAAM,GAAG,GAAG,CAAC,MAAsB,CAAC;IAC1C,MAAM,MAAM,GAAG,GAAG,CAAC,MAAqB,CAAC;IACzC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IAC3D,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;IACjE,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC;IAC/B,MAAM,aAAa,GAAG,GAAG,CAAC,aAAa,CAAC;IAExC,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,aAAa,gCAAgC,CAAC,CAAC;QAC9F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,MAAM,wCAAwC,CAAC,CAAC;QACxF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACrE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,MAAM,iDAAiD,CAAC,CAAC;QAC1G,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,MAAM,KAAK,SAAS,IAAI,CAAC,OAAO,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,SAAS,GAAG,QAAQ,CAAC,aAAa,CAAC;QACzC,MAAM,QAAQ,GAAG,UAAU,GAAG,SAAS,CAAC;QACxC,MAAM,UAAU,GAAG,QAAQ,GAAG,CAAC;YAC7B,CAAC,CAAC,GAAG,SAAS,aAAa,QAAQ,YAAY,UAAU,QAAQ;YACjE,CAAC,CAAC,GAAG,SAAS,eAAe,CAAC;QAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,OAAO,eAAe,UAAU,IAAI,CAAC,CAAC;QAC3E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,KAAK,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,UAAU,cAAc,MAAM,eAAe,MAAM,IAAI,CAAC,CAAC;IAC/G,CAAC;IAED,IAAI,gBAA4C,CAAC;IACjD,IAAI,YAAY,GAAG,EAAE,CAAC;IAEtB,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,gBAAgB,GAAG,WAAW,CAAC,GAAG,EAAE;YAClC,IAAI,YAAY,EAAE,CAAC;gBACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YACrE,CAAC;QACH,CAAC,EAAE,GAAG,CAAC,CAAC;IACV,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,UAAU,EAAE;YAC7C,KAAK;YACL,OAAO;YACP,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM;YACN,OAAO,EAAE,GAAG,CAAC,OAAO;YACpB,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,GAAG,EAAE,GAAG,CAAC,GAAG;SACb,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE;YAChC,YAAY,GAAG,QAAQ,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,IAAI,gBAAgB,EAAE,CAAC;YACrB,aAAa,CAAC,gBAAgB,CAAC,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QACrD,CAAC;QAED,+EAA+E;QAC/E,IAAI,cAAc,GAAG,MAAM,CAAC;QAC5B,IAAI,GAAG,CAAC,QAAQ,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrC,MAAM,SAAS,GAAG,IAAI,GAAG,EAAoB,CAAC;YAC9C,KAAK,MAAM,UAAU,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACtC,MAAM,OAAO,GAAG,YAAY,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBAClD,IAAI,OAAO;oBAAE,SAAS,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;YACvE,CAAC;YACD,cAAc,GAAG,MAAM,cAAc,CAAC,MAAM,EAAE,SAAS,EAAE;gBACvD,QAAQ,EAAE,OAAO,CAAC,aAAa,IAAI,GAAG,CAAC,aAAa;gBACpD,WAAW,EAAE,UAAU;aACxB,EAAE,MAAM,CAAC,CAAC;QACb,CAAC;QAED,uCAAuC;QACvC,MAAM,cAAc,GAAG,aAAa,KAAK,KAAK;YAC5C,CAAC,CAAC,4BAA4B,CAAC,cAAc,EAAE,aAAa,EAAE,MAAM,CAAC;YACrE,CAAC,CAAC,cAAc,CAAC;QAEnB,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,MAAM;gBACT,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC,CAAC;gBACxD,MAAM;YACR,KAAK,OAAO;gBACV,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC,CAAC;gBACzD,MAAM;YACR,KAAK,KAAK;gBACR,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,cAAc,CAAC,GAAG,IAAI,CAAC,CAAC;gBACvD,MAAM;YACR,KAAK,SAAS,CAAC;YACf;gBACE,aAAa,CAAC,cAAc,EAAE;oBAC5B,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,OAAO;oBACP,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC,CAAC;gBACH,MAAM;QACV,CAAC;QAED,uCAAuC;QACvC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,CAAC;YAC3B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,gBAAgB;YAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;QACtD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,6EAA6E;AAC7E,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,mCAAmC,CAAC;KAChD,MAAM,CAAC,uBAAuB,EAAE,mDAAmD,CAAC;KACpF,MAAM,CAAC,uBAAuB,EAAE,wDAAwD,CAAC;KACzF,MAAM,CAAC,QAAQ,EAAE,gBAAgB,CAAC;KAClC,MAAM,CAAC,CAAC,OAAiE,EAAE,EAAE;IAC5E,IAAI,KAAK,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC;IAE9B,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,KAAK,GAAG,QAAQ,CAAC,kBAAkB,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,QAAQ,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC9F,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,IAAI,CAAC,CAAC;QAC7D,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC;IACrE,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAC5D,OAAO;IACT,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,KAAK,CAAC,MAAM,qBAAqB,CAAC,CAAC;IACzE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;IACvH,CAAC;IACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC,CAAC,CAAC;AAEL,6EAA6E;AAC7E,OAAO;KACJ,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,yEAAyE,CAAC;KACtF,cAAc,CAAC,mBAAmB,EAAE,4EAA4E,CAAC;KACjH,MAAM,CAAC,mBAAmB,EAAE,eAAe,EAAE,SAAS,CAAC;KACvD,MAAM,CAAC,YAAY,EAAE,sBAAsB,CAAC;KAC5C,MAAM,CAAC,KAAK,EAAE,OAAyD,EAAE,EAAE;IAC1E,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,KAAe,CAAC,CAAC;IAC/B,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;QACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACrD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,IAAyB,EAAE,SAAS,CAAC,CAAC;IAElF,QAAQ,OAAO,CAAC,MAAM,EAAE,CAAC;QACvB,KAAK,MAAM;YACT,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC;YAChD,MAAM;QACR,KAAK,KAAK;YACR,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC;YAC/C,MAAM;QACR;YACE,aAAa,CAAC,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,MAAM;QAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACtC,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC"}

package/dist/config/loader.d.ts

@@ -0,0 +1,10 @@
+import type { OWASPScanConfig } from './schema.js';
+/**
+ * Load the effective config by merging: defaults < config file < CLI overrides.
+ *
+ * @param cliOverrides Partial config from CLI flags (undefined fields are ignored)
+ * @param explicitConfigPath Path from --config flag (overrides auto-discovery)
+ * @param searchDir Directory to start config file search from (default: cwd)
+ */
+export declare function loadConfig(cliOverrides?: Partial<OWASPScanConfig>, explicitConfigPath?: string, searchDir?: string): Required<OWASPScanConfig>;
+//# sourceMappingURL=loader.d.ts.map

package/dist/config/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAkCnD;;;;;;GAMG;AACH,wBAAgB,UAAU,CACxB,YAAY,GAAE,OAAO,CAAC,eAAe,CAAM,EAC3C,kBAAkB,CAAC,EAAE,MAAM,EAC3B,SAAS,GAAE,MAAsB,GAChC,QAAQ,CAAC,eAAe,CAAC,CAoC3B"}