@trust-assurance-protocol/owaspscan 1.0.0

package/dist/parsers/ast-queries.js

@@ -0,0 +1,580 @@
+// ============================================================
+// AST Queries — structural sink/source detection + AST-based taint
+//
+// Two detection modes:
+//
+// 1. Direct detection: user input appears directly in a sink arg
+//    `db.query("SELECT..." + req.query.id)`
+//    `exec(\`ping ${req.query.host}\`)`
+//
+// 2. AST taint propagation: user input assigned to variable, used in sink
+//    `const userId = req.query.id;`       ← source node: variable_declarator
+//    `const query = "SELECT..." + userId;` ← propagation: binary_expression
+//    `db.query(query);`                    ← sink arg is a tainted identifier
+//
+// Both use tree-sitter AST nodes — no regex string matching for variable tracking.
+// This eliminates false positives from comment lines and string contents.
+// ============================================================
+import { findAllNodes } from './ast-parser.js';
+// ---- Source patterns ----
+// These match the TEXT of AST nodes that represent user-controlled input.
+const JS_SOURCE_RE = /\breq(?:uest)?\.(?:query|body|params)\b|\bevent\.target\.value\b|\bprocess\.argv\b|\blocalStorage\.getItem\b|\bsessionStorage\.getItem\b|\bsearchParams\.get\b/;
+const PY_SOURCE_RE = /\brequest\.(?:args|form|json|values|data|files)\b|\brequest\.(?:GET|POST|body)\b|\binput\s*\(|\bsys\.argv\b/;
+function hasUserInput(node, language) {
+    const re = language === 'python' ? PY_SOURCE_RE : JS_SOURCE_RE;
+    return re.test(node.text);
+}
+// ---- Cross-file taint source collection ----
+/**
+ * Scan a single file's AST and collect the names of exported functions/variables
+ * whose bodies contain direct user-input sources.
+ *
+ * Used for cross-file taint tracking: if file A exports `getUserId(req)` which
+ * reads `req.query.id`, and file B calls `getUserId(req)`, the return value in
+ * file B should be treated as tainted.
+ */
+export function collectExportedTaintSources(rootNode, language) {
+    const sources = new Map();
+    for (const exportStmt of findAllNodes(rootNode, 'export_statement')) {
+        // export function NAME(req, ...) { ... req.query ... }
+        for (const funcDecl of findAllNodes(exportStmt, 'function_declaration')) {
+            const nameNode = funcDecl.childForFieldName('name');
+            const bodyNode = funcDecl.childForFieldName('body');
+            if (nameNode && bodyNode && hasUserInput(bodyNode, language)) {
+                sources.set(nameNode.text, `exported fn '${nameNode.text}' reads user input`);
+            }
+        }
+        // export const NAME = (req) => req.body.x  OR  export const NAME = function(req) { ... }
+        for (const varDecl of findAllNodes(exportStmt, 'variable_declarator')) {
+            const nameNode = varDecl.childForFieldName('name');
+            const valueNode = varDecl.childForFieldName('value');
+            if (!nameNode || !valueNode || nameNode.type !== 'identifier')
+                continue;
+            if ((valueNode.type === 'arrow_function' || valueNode.type === 'function') &&
+                hasUserInput(valueNode, language)) {
+                sources.set(nameNode.text, `exported arrow fn '${nameNode.text}' reads user input`);
+            }
+        }
+    }
+    // Also: module.exports.NAME = function(req) { ... } (CommonJS)
+    for (const assign of findAllNodes(rootNode, 'assignment_expression')) {
+        const left = assign.childForFieldName('left');
+        const right = assign.childForFieldName('right');
+        if (!left || !right)
+            continue;
+        // left must be `module.exports.NAME` or `exports.NAME`
+        if (left.type !== 'member_expression')
+            continue;
+        const leftText = left.text;
+        if (!/\b(?:module\.exports|exports)\.\w+/.test(leftText))
+            continue;
+        const propName = left.childForFieldName('property')?.text;
+        if (!propName)
+            continue;
+        if ((right.type === 'function' || right.type === 'arrow_function') &&
+            hasUserInput(right, language)) {
+            sources.set(propName, `module.exports.${propName} reads user input`);
+        }
+    }
+    return sources;
+}
+/**
+ * Walk all variable declarations and assignments in the AST.
+ * When the right-hand side is/contains a user input source, mark the
+ * left-hand variable name(s) as tainted.
+ *
+ * crossFileSources: optional map of function names from other files that return
+ * tainted data (built by collectExportedTaintSources in the pre-pass).
+ *
+ * Returns the initial (un-propagated) taint map.
+ */
+export function buildInitialTaintMap(rootNode, language, crossFileSources) {
+    const tainted = new Map();
+    if (language === 'javascript' || language === 'typescript') {
+        // --- variable_declarator: `const/let/var NAME = VALUE` ---
+        for (const decl of findAllNodes(rootNode, 'variable_declarator')) {
+            const nameNode = decl.childForFieldName('name');
+            const valueNode = decl.childForFieldName('value');
+            if (!nameNode || !valueNode)
+                continue;
+            // Cross-file taint must be checked BEFORE the hasUserInput guard,
+            // because `getUserId(req)` doesn't contain req.query directly.
+            if (crossFileSources && nameNode.type === 'identifier' && valueNode.type === 'call_expression') {
+                const callFuncNode = valueNode.childForFieldName('function');
+                if (callFuncNode) {
+                    const calleeName = callFuncNode.type === 'member_expression'
+                        ? (callFuncNode.childForFieldName('property')?.text ?? '')
+                        : callFuncNode.text;
+                    if (crossFileSources.has(calleeName)) {
+                        tainted.set(nameNode.text, `return value of cross-file fn '${calleeName}' (${crossFileSources.get(calleeName)})`);
+                        continue;
+                    }
+                }
+            }
+            if (!hasUserInput(valueNode, language))
+                continue;
+            // Simple identifier: const userId = req.query.id
+            if (nameNode.type === 'identifier') {
+                tainted.set(nameNode.text, `assigned from ${valueNode.text.slice(0, 60)}`);
+            }
+            // Destructuring: const { id, name } = req.query
+            if (nameNode.type === 'object_pattern') {
+                for (const prop of findAllNodes(nameNode, 'shorthand_property_identifier_pattern')) {
+                    tainted.set(prop.text, `destructured from ${valueNode.text.slice(0, 40)}`);
+                }
+                // Also handle: const { id: userId } = req.query
+                for (const prop of findAllNodes(nameNode, 'pair_pattern')) {
+                    const val = prop.childForFieldName('value');
+                    if (val?.type === 'identifier') {
+                        tainted.set(val.text, `destructured from ${valueNode.text.slice(0, 40)}`);
+                    }
+                }
+            }
+            // Array destructuring: const [a, b] = req.body.items
+            if (nameNode.type === 'array_pattern') {
+                for (const elem of nameNode.namedChildren) {
+                    if (elem.type === 'identifier') {
+                        tainted.set(elem.text, `array-destructured from ${valueNode.text.slice(0, 40)}`);
+                    }
+                }
+            }
+        }
+        // --- assignment_expression: `NAME = VALUE` (reassignment) ---
+        for (const assign of findAllNodes(rootNode, 'assignment_expression')) {
+            const left = assign.childForFieldName('left');
+            const right = assign.childForFieldName('right');
+            if (!left || !right)
+                continue;
+            if (left.type !== 'identifier')
+                continue;
+            if (hasUserInput(right, language)) {
+                tainted.set(left.text, `reassigned from ${right.text.slice(0, 60)}`);
+                continue;
+            }
+            // Cross-file: taintedVar = crossFileFn(...)
+            if (crossFileSources && right.type === 'call_expression') {
+                const callFuncNode = right.childForFieldName('function');
+                if (callFuncNode) {
+                    const calleeName = callFuncNode.type === 'member_expression'
+                        ? (callFuncNode.childForFieldName('property')?.text ?? '')
+                        : callFuncNode.text;
+                    if (crossFileSources.has(calleeName)) {
+                        tainted.set(left.text, `reassigned from cross-file fn '${calleeName}'`);
+                    }
+                }
+            }
+        }
+    }
+    if (language === 'python') {
+        // Python: `assignment` node → identifier = value
+        for (const assign of findAllNodes(rootNode, 'assignment')) {
+            const left = assign.namedChildren[0];
+            const right = assign.namedChildren[assign.namedChildren.length - 1];
+            if (!left || !right || left === right)
+                continue;
+            if (left.type !== 'identifier')
+                continue;
+            if (!hasUserInput(right, language))
+                continue;
+            tainted.set(left.text, `assigned from ${right.text.slice(0, 60)}`);
+        }
+    }
+    return tainted;
+}
+/**
+ * Fixed-point propagation: if the RHS of an assignment contains a tainted
+ * identifier, the LHS variable becomes tainted too.
+ *
+ * Mutates `tainted` in place. Runs until no new taints are added (max 10 passes).
+ */
+export function propagateTaint(rootNode, tainted, language) {
+    function rhsContainsTainted(valueNode) {
+        for (const identNode of findAllNodes(valueNode, 'identifier')) {
+            if (tainted.has(identNode.text))
+                return identNode.text;
+        }
+        // Template substitutions: `${taintedVar}`
+        for (const sub of findAllNodes(valueNode, 'template_substitution')) {
+            for (const identNode of findAllNodes(sub, 'identifier')) {
+                if (tainted.has(identNode.text))
+                    return identNode.text;
+            }
+        }
+        return null;
+    }
+    let changed = true;
+    let passes = 0;
+    while (changed && passes < 10) {
+        changed = false;
+        passes++;
+        if (language === 'javascript' || language === 'typescript') {
+            for (const decl of findAllNodes(rootNode, 'variable_declarator')) {
+                const nameNode = decl.childForFieldName('name');
+                const valueNode = decl.childForFieldName('value');
+                if (!nameNode || !valueNode)
+                    continue;
+                if (nameNode.type !== 'identifier')
+                    continue;
+                if (tainted.has(nameNode.text))
+                    continue;
+                const fromVar = rhsContainsTainted(valueNode);
+                if (fromVar) {
+                    tainted.set(nameNode.text, `derived from tainted '${fromVar}'`);
+                    changed = true;
+                }
+            }
+            for (const assign of findAllNodes(rootNode, 'assignment_expression')) {
+                const left = assign.childForFieldName('left');
+                const right = assign.childForFieldName('right');
+                if (!left || !right)
+                    continue;
+                if (left.type !== 'identifier')
+                    continue;
+                if (tainted.has(left.text))
+                    continue;
+                const fromVar = rhsContainsTainted(right);
+                if (fromVar) {
+                    tainted.set(left.text, `derived from tainted '${fromVar}'`);
+                    changed = true;
+                }
+            }
+        }
+        if (language === 'python') {
+            for (const assign of findAllNodes(rootNode, 'assignment')) {
+                const left = assign.namedChildren[0];
+                const right = assign.namedChildren[assign.namedChildren.length - 1];
+                if (!left || !right || left === right)
+                    continue;
+                if (left.type !== 'identifier')
+                    continue;
+                if (tainted.has(left.text))
+                    continue;
+                const fromVar = rhsContainsTainted(right);
+                if (fromVar) {
+                    tainted.set(left.text, `derived from tainted '${fromVar}'`);
+                    changed = true;
+                }
+            }
+        }
+    }
+}
+/**
+ * Build the full taint map: initial sources + propagated chains.
+ * crossFileSources: optional function names from other files that return tainted data.
+ */
+export function buildTaintMap(rootNode, language, crossFileSources) {
+    const tainted = buildInitialTaintMap(rootNode, language, crossFileSources);
+    if (tainted.size > 0) {
+        propagateTaint(rootNode, tainted, language);
+    }
+    return tainted;
+}
+// ---- Taint-aware argument checking ----
+/**
+ * Check if a call argument is or contains a tainted identifier from the taint map.
+ * Returns the tainted variable name if found, null otherwise.
+ */
+function argIsTainted(argNode, tainted) {
+    // Direct identifier: db.query(taintedVar)
+    if (argNode.type === 'identifier' && tainted.has(argNode.text)) {
+        return argNode.text;
+    }
+    // Any identifier within the arg expression
+    for (const identNode of findAllNodes(argNode, 'identifier')) {
+        if (tainted.has(identNode.text))
+            return identNode.text;
+    }
+    // Template substitution: `...${taintedVar}...`
+    for (const sub of findAllNodes(argNode, 'template_substitution')) {
+        for (const identNode of findAllNodes(sub, 'identifier')) {
+            if (tainted.has(identNode.text))
+                return identNode.text;
+        }
+    }
+    return null;
+}
+const SINK_RULES = [
+    {
+        ruleId: 'OWASP-A03-001',
+        owasp: 'A03:2021',
+        severity: 'CRITICAL',
+        description: 'Direct user input in SQL query function',
+        jsMethods: new Set(['query', 'execute', 'raw', 'run', 'queryRawUnsafe', 'executemany']),
+        pyFunctionRe: /\b(?:execute|executemany|raw)\b/,
+        // Only check arg[0] (the SQL string). arg[1] is the parameter bindings array — safe by design.
+        taintArgIndex: 0,
+    },
+    {
+        ruleId: 'OWASP-A03-002',
+        owasp: 'A03:2021',
+        severity: 'CRITICAL',
+        description: 'Direct user input in shell execution function',
+        jsMethods: new Set(['exec', 'execSync', 'execFile', 'execFileSync', 'spawnSync']),
+        jsFunctions: new Set(['exec', 'execSync', 'execFile', 'spawnSync']),
+        pyFunctionRe: /\b(?:os\.system|subprocess\.(?:run|call|Popen|check_output|check_call)|commands\.getoutput)\b/,
+    },
+    {
+        ruleId: 'OWASP-A10-001',
+        owasp: 'A10:2021',
+        severity: 'HIGH',
+        description: 'Direct user input in HTTP fetch call (SSRF)',
+        jsFunctions: new Set(['fetch']),
+        jsMethods: new Set(['get', 'post', 'put', 'patch', 'delete', 'request']),
+        // Only match real HTTP clients — NOT Express/Koa router.get('/path', handler)
+        jsObjectFilter: /^(axios|http|https|got|superagent|agent|nodeFetch|node-fetch|ky|request|urllib)\b/i,
+        // Only check arg[0] (the URL). Without this, handler function bodies with `req` get flagged.
+        taintArgIndex: 0,
+        pyFunctionRe: /\b(?:requests\.(?:get|post|put|delete|request|head)|urllib\.request\.urlopen|urlopen)\b/,
+    },
+    {
+        ruleId: 'OWASP-A08-001',
+        owasp: 'A08:2021',
+        severity: 'CRITICAL',
+        description: 'Direct user input in eval() (code injection)',
+        jsFunctions: new Set(['eval']),
+        pyFunctionRe: /\b(?:eval|exec)\b/,
+    },
+    {
+        ruleId: 'OWASP-A03-005',
+        owasp: 'A03:2021',
+        severity: 'HIGH',
+        description: 'Direct user input in template render (SSTI)',
+        jsMethods: new Set(['render']),
+        pyFunctionRe: /\b(?:render_template_string|Template)\b/,
+    },
+    {
+        ruleId: 'OWASP-A01-002',
+        owasp: 'A01:2021',
+        severity: 'HIGH',
+        description: 'Direct user input used as file path (path traversal)',
+        jsMethods: new Set(['readFile', 'writeFile', 'readFileSync', 'writeFileSync', 'unlink', 'stat', 'open']),
+        pyFunctionRe: /\b(?:open|os\.path\.join|pathlib\.Path)\b/,
+    },
+];
+// ---- JS/TS call expression analysis ----
+function analyzeJSCall(callNode, sourceLines, results, language, tainted) {
+    const funcNode = callNode.childForFieldName('function');
+    const argsNode = callNode.childForFieldName('arguments');
+    if (!funcNode || !argsNode)
+        return;
+    // Determine sink name
+    let sinkName = '';
+    let matchedSink;
+    if (funcNode.type === 'member_expression') {
+        const propNode = funcNode.childForFieldName('property') ??
+            funcNode.namedChild(funcNode.namedChildCount - 1);
+        if (propNode) {
+            sinkName = propNode.text;
+            matchedSink = SINK_RULES.find((r) => r.jsMethods?.has(sinkName));
+        }
+    }
+    else if (funcNode.type === 'identifier') {
+        sinkName = funcNode.text;
+        matchedSink = SINK_RULES.find((r) => r.jsFunctions?.has(sinkName));
+    }
+    if (!matchedSink)
+        return;
+    // If the sink requires the callee object to match a specific pattern (e.g. SSRF: only real
+    // HTTP clients, not Express router.get(path, handler)), enforce it here.
+    if (matchedSink.jsObjectFilter && funcNode.type === 'member_expression') {
+        const objectNode = funcNode.childForFieldName('object');
+        if (!objectNode || !matchedSink.jsObjectFilter.test(objectNode.text))
+            return;
+    }
+    // Check each argument: direct user input OR tainted variable
+    // For sinks with taintArgIndex, only check that specific argument (e.g. SQL: arg[0] only)
+    const argsToCheck = matchedSink.taintArgIndex !== undefined
+        ? [argsNode.namedChildren[matchedSink.taintArgIndex]].filter(Boolean)
+        : argsNode.namedChildren;
+    for (const arg of argsToCheck) {
+        const directHit = argContainsUserInput(arg, language);
+        const taintedVar = !directHit ? argIsTainted(arg, tainted) : null;
+        if (directHit || taintedVar) {
+            const line = callNode.startPosition.row + 1;
+            const taintInfo = taintedVar
+                ? ` (tainted via '${taintedVar}': ${tainted.get(taintedVar).slice(0, 60)})`
+                : '';
+            results.push({
+                ruleId: matchedSink.ruleId,
+                owasp: matchedSink.owasp,
+                severity: matchedSink.severity,
+                description: matchedSink.description + taintInfo,
+                line,
+                column: callNode.startPosition.column + 1,
+                snippet: (sourceLines[line - 1] ?? callNode.text.slice(0, 120)).trim(),
+                argText: arg.text.slice(0, 120),
+                sinkName,
+                taintPath: taintedVar
+                    ? [`Source: '${taintedVar}' — ${tainted.get(taintedVar)}`, `Sink: ${sinkName}(${arg.text.slice(0, 60)})`]
+                    : undefined,
+            });
+            break; // One finding per call
+        }
+    }
+}
+// Check if an argument node contains user input, structurally
+function argContainsUserInput(argNode, language) {
+    // Direct user input reference (req.query.id, request.args.get('id'), etc.)
+    if (hasUserInput(argNode, language))
+        return true;
+    // String concatenation: "SELECT..." + req.query.id
+    if (argNode.type === 'binary_expression') {
+        for (const child of argNode.namedChildren) {
+            if (argContainsUserInput(child, language))
+                return true;
+        }
+    }
+    // Template literal: `SELECT... ${req.query.id}`
+    if (argNode.type === 'template_string') {
+        for (const sub of findAllNodes(argNode, 'template_substitution')) {
+            if (hasUserInput(sub, language))
+                return true;
+        }
+    }
+    // Python: f-string or binary operator
+    if (argNode.type === 'binary_operator' || argNode.type === 'concatenated_string') {
+        for (const child of argNode.namedChildren) {
+            if (argContainsUserInput(child, language))
+                return true;
+        }
+    }
+    // Python: formatted string (f-string) — represented as `string` with interpolation nodes
+    if (argNode.type === 'string' && argNode.text.startsWith('f')) {
+        if (hasUserInput(argNode, language))
+            return true;
+    }
+    return false;
+}
+// ---- Python call expression analysis ----
+function analyzePythonCall(callNode, sourceLines, results, tainted) {
+    const funcNode = callNode.childForFieldName('function');
+    const argsNode = callNode.childForFieldName('arguments');
+    if (!funcNode || !argsNode)
+        return;
+    const funcText = funcNode.text;
+    const matchedSink = SINK_RULES.find((r) => r.pyFunctionRe && r.pyFunctionRe.test(funcText));
+    if (!matchedSink)
+        return;
+    // Check arguments: direct user input OR tainted variable
+    // For sinks with taintArgIndex, only check that specific argument
+    const pyArgTarget = matchedSink.taintArgIndex !== undefined
+        ? (argsNode.namedChildren[matchedSink.taintArgIndex] ?? argsNode)
+        : argsNode;
+    const directHit = argContainsUserInput(pyArgTarget, 'python');
+    const taintedVar = !directHit ? argIsTainted(pyArgTarget, tainted) : null;
+    if (directHit || taintedVar) {
+        const line = callNode.startPosition.row + 1;
+        const taintInfo = taintedVar
+            ? ` (tainted via '${taintedVar}': ${tainted.get(taintedVar).slice(0, 60)})`
+            : '';
+        results.push({
+            ruleId: matchedSink.ruleId,
+            owasp: matchedSink.owasp,
+            severity: matchedSink.severity,
+            description: matchedSink.description + taintInfo,
+            line,
+            column: callNode.startPosition.column + 1,
+            snippet: (sourceLines[line - 1] ?? callNode.text.slice(0, 120)).trim(),
+            argText: argsNode.text.slice(0, 120),
+            sinkName: funcText,
+            taintPath: taintedVar
+                ? [`Source: '${taintedVar}' — ${tainted.get(taintedVar)}`, `Sink: ${funcText}(${argsNode.text.slice(0, 60)})`]
+                : undefined,
+        });
+    }
+}
+// ---- Middleware-aware suppression ----
+// Names that strongly suggest input validation/sanitization middleware
+const VALIDATION_MIDDLEWARE_RE = /\b(?:validate|sanitize|check|verif(?:y|ied)|authenti(?:cat|c)|authori[sz]|protect|guard|permit|restrict|rateLimit|rateLimiter|helmet|csrf|xss|escape|clean(?:se|er)|strip|purif|dompurif)\w*\b/i;
+/**
+ * Collect line numbers of route handler functions that are protected by
+ * a validation/auth middleware in their Express/Koa route definition.
+ *
+ * e.g.: router.get('/users', authenticate, validateInput, handler)
+ *       → handler's body line numbers are "protected"
+ *
+ * Returns a Set of line numbers (1-based) that are inside protected handlers.
+ */
+function collectProtectedLines(rootNode) {
+    const protected_ = new Set();
+    for (const call of findAllNodes(rootNode, 'call_expression')) {
+        const func = call.childForFieldName('function');
+        const args = call.childForFieldName('arguments');
+        if (!func || !args)
+            continue;
+        // Match: router.get / app.post / router.use etc.
+        if (func.type !== 'member_expression')
+            continue;
+        const method = func.childForFieldName('property')?.text ?? '';
+        if (!/^(get|post|put|patch|delete|use|all)$/.test(method))
+            continue;
+        const argChildren = args.namedChildren;
+        if (argChildren.length < 2)
+            continue;
+        // Check if any non-last argument contains a validation middleware name
+        const middlewares = argChildren.slice(0, -1);
+        const hasValidationMiddleware = middlewares.some((m) => VALIDATION_MIDDLEWARE_RE.test(m.text));
+        if (!hasValidationMiddleware)
+            continue;
+        // The last argument is the route handler — mark all its lines as protected
+        const handler = argChildren[argChildren.length - 1];
+        if (!handler)
+            continue;
+        const startLine = handler.startPosition.row + 1;
+        const endLine = handler.endPosition.row + 1;
+        for (let ln = startLine; ln <= endLine; ln++) {
+            protected_.add(ln);
+        }
+    }
+    return protected_;
+}
+// ---- Main export ----
+/**
+ * Scan a parsed AST for vulnerabilities.
+ * Combines two detection modes:
+ *   1. Direct: user input appears directly in a sink argument
+ *   2. Taint: user input was assigned to a variable that reaches the sink
+ *
+ * The taint map is built via AST node traversal (not regex), so it is
+ * precise — handles destructuring, reassignment, template literals.
+ * Middleware-aware: handlers guarded by validate/auth middleware get LOW confidence.
+ *
+ * crossFileSources: optional map of function names from other scanned files that
+ * return tainted data (populated by the two-pass scanDirectory pre-pass).
+ */
+export function findVulnerableCalls(rootNode, language, sourceLines, crossFileSources) {
+    const results = [];
+    // Build AST-based taint map (sources + fixed-point propagation + cross-file sources)
+    const tainted = buildTaintMap(rootNode, language, crossFileSources);
+    // Collect lines inside middleware-protected route handlers (JS/TS only)
+    const protectedLines = (language === 'javascript' || language === 'typescript')
+        ? collectProtectedLines(rootNode)
+        : new Set();
+    if (language === 'javascript' || language === 'typescript') {
+        for (const callNode of findAllNodes(rootNode, 'call_expression')) {
+            analyzeJSCall(callNode, sourceLines, results, language, tainted);
+        }
+    }
+    else if (language === 'python') {
+        for (const callNode of findAllNodes(rootNode, 'call')) {
+            analyzePythonCall(callNode, sourceLines, results, tainted);
+        }
+    }
+    // Downgrade confidence for findings inside middleware-protected handlers
+    for (const finding of results) {
+        if (protectedLines.has(finding.line)) {
+            finding.suppressedByMiddleware = true;
+            finding.description = finding.description + ' [middleware may sanitize this input]';
+        }
+    }
+    // Deduplicate by line + ruleId
+    const seen = new Set();
+    return results.filter((r) => {
+        const key = `${r.ruleId}:${r.line}`;
+        if (seen.has(key))
+            return false;
+        seen.add(key);
+        return true;
+    });
+}
+//# sourceMappingURL=ast-queries.js.map

package/dist/parsers/ast-queries.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast-queries.js","sourceRoot":"","sources":["../../src/parsers/ast-queries.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,mEAAmE;AACnE,EAAE;AACF,uBAAuB;AACvB,EAAE;AACF,iEAAiE;AACjE,4CAA4C;AAC5C,wCAAwC;AACxC,EAAE;AACF,0EAA0E;AAC1E,6EAA6E;AAC7E,4EAA4E;AAC5E,8EAA8E;AAC9E,EAAE;AACF,mFAAmF;AACnF,0EAA0E;AAC1E,+DAA+D;AAE/D,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAI/C,4BAA4B;AAC5B,0EAA0E;AAE1E,MAAM,YAAY,GAAG,gKAAgK,CAAC;AACtL,MAAM,YAAY,GAAG,6GAA6G,CAAC;AAEnI,SAAS,YAAY,CAAC,IAAY,EAAE,QAAgD;IAClF,MAAM,EAAE,GAAG,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC;IAC/D,OAAO,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAMD,+CAA+C;AAE/C;;;;;;;GAOG;AACH,MAAM,UAAU,2BAA2B,CACzC,QAAgB,EAChB,QAAqC;IAErC,MAAM,OAAO,GAAa,IAAI,GAAG,EAAE,CAAC;IAEpC,KAAK,MAAM,UAAU,IAAI,YAAY,CAAC,QAAQ,EAAE,kBAAkB,CAAC,EAAE,CAAC;QACpE,uDAAuD;QACvD,KAAK,MAAM,QAAQ,IAAI,YAAY,CAAC,UAAU,EAAE,sBAAsB,CAAC,EAAE,CAAC;YACxE,MAAM,QAAQ,GAAG,QAAQ,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;YACpD,MAAM,QAAQ,GAAG,QAAQ,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;YACpD,IAAI,QAAQ,IAAI,QAAQ,IAAI,YAAY,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC;gBAC7D,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,gBAAgB,QAAQ,CAAC,IAAI,oBAAoB,CAAC,CAAC;YAChF,CAAC;QACH,CAAC;QAED,yFAAyF;QACzF,KAAK,MAAM,OAAO,IAAI,YAAY,CAAC,UAAU,EAAE,qBAAqB,CAAC,EAAE,CAAC;YACtE,MAAM,QAAQ,GAAG,OAAO,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;YACnD,MAAM,SAAS,GAAG,OAAO,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;YACrD,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YACxE,IACE,CAAC,SAAS,CAAC,IAAI,KAAK,gBAAgB,IAAI,SAAS,CAAC,IAAI,KAAK,UAAU,CAAC;gBACtE,YAAY,CAAC,SAAS,EAAE,QAAQ,CAAC,EACjC,CAAC;gBACD,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,sBAAsB,QAAQ,CAAC,IAAI,oBAAoB,CAAC,CAAC;YACtF,CAAC;QACH,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,KAAK,MAAM,MAAM,IAAI,YAAY,CAAC,QAAQ,EAAE,uBAAuB,CAAC,EAAE,CAAC;QACrE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAChD,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;YAAE,SAAS;QAC9B,uDAAuD;QACvD,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB;YAAE,SAAS;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC;QAC3B,IAAI,CAAC,oCAAoC,CAAC,IAAI,CAAC,QAAQ,CAAC;YAAE,SAAS;QACnE,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,EAAE,IAAI,CAAC;QAC1D,IAAI,CAAC,QAAQ;YAAE,SAAS;QACxB,IACE,CAAC,KAAK,CAAC,IAAI,KAAK,UAAU,IAAI,KAAK,CAAC,IAAI,KAAK,gBAAgB,CAAC;YAC9D,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,EAC7B,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,kBAAkB,QAAQ,mBAAmB,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB,CAClC,QAAgB,EAChB,QAAgD,EAChD,gBAA2B;IAE3B,MAAM,OAAO,GAAa,IAAI,GAAG,EAAE,CAAC;IAEpC,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC3D,4DAA4D;QAC5D,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,QAAQ,EAAE,qBAAqB,CAAC,EAAE,CAAC;YACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAChD,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;YAClD,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS;gBAAE,SAAS;YAEtC,kEAAkE;YAClE,+DAA+D;YAC/D,IAAI,gBAAgB,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY,IAAI,SAAS,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;gBAC/F,MAAM,YAAY,GAAG,SAAS,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;gBAC7D,IAAI,YAAY,EAAE,CAAC;oBACjB,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,KAAK,mBAAmB;wBAC1D,CAAC,CAAC,CAAC,YAAY,CAAC,iBAAiB,CAAC,UAAU,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC;wBAC1D,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC;oBACtB,IAAI,gBAAgB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;wBACrC,OAAO,CAAC,GAAG,CACT,QAAQ,CAAC,IAAI,EACb,kCAAkC,UAAU,MAAM,gBAAgB,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CACtF,CAAC;wBACF,SAAS;oBACX,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,QAAQ,CAAC;gBAAE,SAAS;YAEjD,iDAAiD;YACjD,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBACnC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,iBAAiB,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;YAC7E,CAAC;YAED,gDAAgD;YAChD,IAAI,QAAQ,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;gBACvC,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,QAAQ,EAAE,uCAAuC,CAAC,EAAE,CAAC;oBACnF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,qBAAqB,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;gBAC7E,CAAC;gBACD,gDAAgD;gBAChD,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,QAAQ,EAAE,cAAc,CAAC,EAAE,CAAC;oBAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;oBAC5C,IAAI,GAAG,EAAE,IAAI,KAAK,YAAY,EAAE,CAAC;wBAC/B,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,qBAAqB,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;oBAC5E,CAAC;gBACH,CAAC;YACH,CAAC;YAED,qDAAqD;YACrD,IAAI,QAAQ,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;gBACtC,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;oBAC1C,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBAC/B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,2BAA2B,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;oBACnF,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,KAAK,MAAM,MAAM,IAAI,YAAY,CAAC,QAAQ,EAAE,uBAAuB,CAAC,EAAE,CAAC;YACrE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;gBAAE,SAAS;YAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YAEzC,IAAI,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,EAAE,CAAC;gBAClC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,mBAAmB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;gBACrE,SAAS;YACX,CAAC;YAED,4CAA4C;YAC5C,IAAI,gBAAgB,IAAI,KAAK,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;gBACzD,MAAM,YAAY,GAAG,KAAK,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;gBACzD,IAAI,YAAY,EAAE,CAAC;oBACjB,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,KAAK,mBAAmB;wBAC1D,CAAC,CAAC,CAAC,YAAY,CAAC,iBAAiB,CAAC,UAAU,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC;wBAC1D,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC;oBACtB,IAAI,gBAAgB,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,CAAC;wBACrC,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,IAAI,EACT,kCAAkC,UAAU,GAAG,CAChD,CAAC;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,iDAAiD;QACjD,KAAK,MAAM,MAAM,IAAI,YAAY,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,CAAC;YAC1D,MAAM,IAAI,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YACrC,MAAM,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YACpE,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,KAAK,KAAK;gBAAE,SAAS;YAChD,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY;gBAAE,SAAS;YACzC,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC;gBAAE,SAAS;YAC7C,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,iBAAiB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,QAAgB,EAChB,OAAiB,EACjB,QAAgD;IAEhD,SAAS,kBAAkB,CAAC,SAAiB;QAC3C,KAAK,MAAM,SAAS,IAAI,YAAY,CAAC,SAAS,EAAE,YAAY,CAAC,EAAE,CAAC;YAC9D,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC;gBAAE,OAAO,SAAS,CAAC,IAAI,CAAC;QACzD,CAAC;QACD,0CAA0C;QAC1C,KAAK,MAAM,GAAG,IAAI,YAAY,CAAC,SAAS,EAAE,uBAAuB,CAAC,EAAE,CAAC;YACnE,KAAK,MAAM,SAAS,IAAI,YAAY,CAAC,GAAG,EAAE,YAAY,CAAC,EAAE,CAAC;gBACxD,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC;oBAAE,OAAO,SAAS,CAAC,IAAI,CAAC;YACzD,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,OAAO,GAAG,IAAI,CAAC;IACnB,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,OAAO,OAAO,IAAI,MAAM,GAAG,EAAE,EAAE,CAAC;QAC9B,OAAO,GAAG,KAAK,CAAC;QAChB,MAAM,EAAE,CAAC;QAET,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,QAAQ,EAAE,qBAAqB,CAAC,EAAE,CAAC;gBACjE,MAAM,QAAQ,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;gBAChD,MAAM,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;gBAClD,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS;oBAAE,SAAS;gBACtC,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY;oBAAE,SAAS;gBAC7C,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAAE,SAAS;gBACzC,MAAM,OAAO,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;gBAC9C,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,yBAAyB,OAAO,GAAG,CAAC,CAAC;oBAChE,OAAO,GAAG,IAAI,CAAC;gBACjB,CAAC;YACH,CAAC;YAED,KAAK,MAAM,MAAM,IAAI,YAAY,CAAC,QAAQ,EAAE,uBAAuB,CAAC,EAAE,CAAC;gBACrE,MAAM,IAAI,GAAG,MAAM,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC;gBAC9C,MAAM,KAAK,GAAG,MAAM,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;gBAChD,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;oBAAE,SAAS;gBAC9B,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY;oBAAE,SAAS;gBACzC,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBACrC,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;gBAC1C,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,yBAAyB,OAAO,GAAG,CAAC,CAAC;oBAC5D,OAAO,GAAG,IAAI,CAAC;gBACjB,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,KAAK,MAAM,MAAM,IAAI,YAAY,CAAC,QAAQ,EAAE,YAAY,CAAC,EAAE,CAAC;gBAC1D,MAAM,IAAI,GAAG,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;gBACrC,MAAM,KAAK,GAAG,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACpE,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,KAAK,KAAK;oBAAE,SAAS;gBAChD,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY;oBAAE,SAAS;gBACzC,IAAI,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBACrC,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;gBAC1C,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,yBAAyB,OAAO,GAAG,CAAC,CAAC;oBAC5D,OAAO,GAAG,IAAI,CAAC;gBACjB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAC3B,QAAgB,EAChB,QAAgD,EAChD,gBAA2B;IAE3B,MAAM,OAAO,GAAG,oBAAoB,CAAC,QAAQ,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAC;IAC3E,IAAI,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACrB,cAAc,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,0CAA0C;AAE1C;;;GAGG;AACH,SAAS,YAAY,CAAC,OAAe,EAAE,OAAiB;IACtD,0CAA0C;IAC1C,IAAI,OAAO,CAAC,IAAI,KAAK,YAAY,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/D,OAAO,OAAO,CAAC,IAAI,CAAC;IACtB,CAAC;IACD,2CAA2C;IAC3C,KAAK,MAAM,SAAS,IAAI,YAAY,CAAC,OAAO,EAAE,YAAY,CAAC,EAAE,CAAC;QAC5D,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC,IAAI,CAAC;IACzD,CAAC;IACD,+CAA+C;IAC/C,KAAK,MAAM,GAAG,IAAI,YAAY,CAAC,OAAO,EAAE,uBAAuB,CAAC,EAAE,CAAC;QACjE,KAAK,MAAM,SAAS,IAAI,YAAY,CAAC,GAAG,EAAE,YAAY,CAAC,EAAE,CAAC;YACxD,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC;gBAAE,OAAO,SAAS,CAAC,IAAI,CAAC;QACzD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAuBD,MAAM,UAAU,GAAe;IAC7B;QACE,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,yCAAyC;QACtD,SAAS,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,gBAAgB,EAAE,aAAa,CAAC,CAAC;QACvF,YAAY,EAAE,iCAAiC;QAC/C,+FAA+F;QAC/F,aAAa,EAAE,CAAC;KACjB;IACD;QACE,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+CAA+C;QAC5D,SAAS,EAAE,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,EAAE,WAAW,CAAC,CAAC;QACjF,WAAW,EAAE,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;QACnE,YAAY,EAAE,+FAA+F;KAC9G;IACD;QACE,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6CAA6C;QAC1D,WAAW,EAAE,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC;QAC/B,SAAS,EAAE,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;QACxE,8EAA8E;QAC9E,cAAc,EAAE,oFAAoF;QACpG,6FAA6F;QAC7F,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,yFAAyF;KACxG;IACD;QACE,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,8CAA8C;QAC3D,WAAW,EAAE,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;QAC9B,YAAY,EAAE,mBAAmB;KAClC;IACD;QACE,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,6CAA6C;QAC1D,SAAS,EAAE,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC9B,YAAY,EAAE,yCAAyC;KACxD;IACD;QACE,MAAM,EAAE,eAAe;QACvB,KAAK,EAAE,UAAU;QACjB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sDAAsD;QACnE,SAAS,EAAE,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,WAAW,EAAE,cAAc,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;QACxG,YAAY,EAAE,2CAA2C;KAC1D;CACF,CAAC;AAgBF,2CAA2C;AAE3C,SAAS,aAAa,CACpB,QAAgB,EAChB,WAAqB,EACrB,OAAqB,EACrB,QAAqC,EACrC,OAAiB;IAEjB,MAAM,QAAQ,GAAG,QAAQ,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,QAAQ,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACzD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ;QAAE,OAAO;IAEnC,sBAAsB;IACtB,IAAI,QAAQ,GAAG,EAAE,CAAC;IAClB,IAAI,WAAiC,CAAC;IAEtC,IAAI,QAAQ,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;QAC1C,MAAM,QAAQ,GAAG,QAAQ,CAAC,iBAAiB,CAAC,UAAU,CAAC;YACtC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,eAAe,GAAG,CAAC,CAAC,CAAC;QACnE,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC;YACzB,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;SAAM,IAAI,QAAQ,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC1C,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC;QACzB,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,IAAI,CAAC,WAAW;QAAE,OAAO;IAEzB,2FAA2F;IAC3F,yEAAyE;IACzE,IAAI,WAAW,CAAC,cAAc,IAAI,QAAQ,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACxE,MAAM,UAAU,GAAG,QAAQ,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACxD,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,CAAC,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO;IAC/E,CAAC;IAED,6DAA6D;IAC7D,0FAA0F;IAC1F,MAAM,WAAW,GAAG,WAAW,CAAC,aAAa,KAAK,SAAS;QACzD,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QACrE,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;IAE3B,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,SAAS,GAAG,oBAAoB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACtD,MAAM,UAAU,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAElE,IAAI,SAAS,IAAI,UAAU,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;YAC5C,MAAM,SAAS,GAAG,UAAU;gBAC1B,CAAC,CAAC,kBAAkB,UAAU,MAAM,OAAO,CAAC,GAAG,CAAC,UAAU,CAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG;gBAC5E,CAAC,CAAC,EAAE,CAAC;YACP,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM,EAAE,WAAW,CAAC,MAAM;gBAC1B,KAAK,EAAE,WAAW,CAAC,KAAK;gBACxB,QAAQ,EAAE,WAAW,CAAC,QAAQ;gBAC9B,WAAW,EAAE,WAAW,CAAC,WAAW,GAAG,SAAS;gBAChD,IAAI;gBACJ,MAAM,EAAE,QAAQ,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;gBACzC,OAAO,EAAE,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE;gBACtE,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;gBAC/B,QAAQ;gBACR,SAAS,EAAE,UAAU;oBACnB,CAAC,CAAC,CAAC,YAAY,UAAU,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC;oBACzG,CAAC,CAAC,SAAS;aACd,CAAC,CAAC;YACH,MAAM,CAAC,uBAAuB;QAChC,CAAC;IACH,CAAC;AACH,CAAC;AAED,8DAA8D;AAC9D,SAAS,oBAAoB,CAC3B,OAAe,EACf,QAAgD;IAEhD,2EAA2E;IAC3E,IAAI,YAAY,CAAC,OAAO,EAAE,QAAQ,CAAC;QAAE,OAAO,IAAI,CAAC;IAEjD,mDAAmD;IACnD,IAAI,OAAO,CAAC,IAAI,KAAK,mBAAmB,EAAE,CAAC;QACzC,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YAC1C,IAAI,oBAAoB,CAAC,KAAK,EAAE,QAAQ,CAAC;gBAAE,OAAO,IAAI,CAAC;QACzD,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,IAAI,OAAO,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QACvC,KAAK,MAAM,GAAG,IAAI,YAAY,CAAC,OAAO,EAAE,uBAAuB,CAAC,EAAE,CAAC;YACjE,IAAI,YAAY,CAAC,GAAG,EAAE,QAAQ,CAAC;gBAAE,OAAO,IAAI,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,IAAI,OAAO,CAAC,IAAI,KAAK,iBAAiB,IAAI,OAAO,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;QACjF,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;YAC1C,IAAI,oBAAoB,CAAC,KAAK,EAAE,QAAQ,CAAC;gBAAE,OAAO,IAAI,CAAC;QACzD,CAAC;IACH,CAAC;IAED,yFAAyF;IACzF,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9D,IAAI,YAAY,CAAC,OAAO,EAAE,QAAQ,CAAC;YAAE,OAAO,IAAI,CAAC;IACnD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,4CAA4C;AAE5C,SAAS,iBAAiB,CACxB,QAAgB,EAChB,WAAqB,EACrB,OAAqB,EACrB,OAAiB;IAEjB,MAAM,QAAQ,GAAG,QAAQ,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,QAAQ,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACzD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ;QAAE,OAAO;IAEnC,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC;IAE/B,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CACjC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,IAAI,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,CACvD,CAAC;IACF,IAAI,CAAC,WAAW;QAAE,OAAO;IAEzB,yDAAyD;IACzD,kEAAkE;IAClE,MAAM,WAAW,GAAG,WAAW,CAAC,aAAa,KAAK,SAAS;QACzD,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,WAAW,CAAC,aAAa,CAAC,IAAI,QAAQ,CAAC;QACjE,CAAC,CAAC,QAAQ,CAAC;IACb,MAAM,SAAS,GAAG,oBAAoB,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAE1E,IAAI,SAAS,IAAI,UAAU,EAAE,CAAC;QAC5B,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;QAC5C,MAAM,SAAS,GAAG,UAAU;YAC1B,CAAC,CAAC,kBAAkB,UAAU,MAAM,OAAO,CAAC,GAAG,CAAC,UAAU,CAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG;YAC5E,CAAC,CAAC,EAAE,CAAC;QACP,OAAO,CAAC,IAAI,CAAC;YACX,MAAM,EAAE,WAAW,CAAC,MAAM;YAC1B,KAAK,EAAE,WAAW,CAAC,KAAK;YACxB,QAAQ,EAAE,WAAW,CAAC,QAAQ;YAC9B,WAAW,EAAE,WAAW,CAAC,WAAW,GAAG,SAAS;YAChD,IAAI;YACJ,MAAM,EAAE,QAAQ,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;YACzC,OAAO,EAAE,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE;YACtE,OAAO,EAAE,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;YACpC,QAAQ,EAAE,QAAQ;YAClB,SAAS,EAAE,UAAU;gBACnB,CAAC,CAAC,CAAC,YAAY,UAAU,OAAO,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,EAAE,SAAS,QAAQ,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC;gBAC9G,CAAC,CAAC,SAAS;SACd,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,yCAAyC;AAEzC,uEAAuE;AACvE,MAAM,wBAAwB,GAAG,iMAAiM,CAAC;AAEnO;;;;;;;;GAQG;AACH,SAAS,qBAAqB,CAAC,QAAgB;IAC7C,MAAM,UAAU,GAAgB,IAAI,GAAG,EAAE,CAAC;IAE1C,KAAK,MAAM,IAAI,IAAI,YAAY,CAAC,QAAQ,EAAE,iBAAiB,CAAC,EAAE,CAAC;QAC7D,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,IAAI,GAAG,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,CAAC;QACjD,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI;YAAE,SAAS;QAE7B,iDAAiD;QACjD,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB;YAAE,SAAS;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC;QAC9D,IAAI,CAAC,uCAAuC,CAAC,IAAI,CAAC,MAAM,CAAC;YAAE,SAAS;QAEpE,MAAM,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC;QACvC,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS;QAErC,uEAAuE;QACvE,MAAM,WAAW,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7C,MAAM,uBAAuB,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;QAC/F,IAAI,CAAC,uBAAuB;YAAE,SAAS;QAEvC,2EAA2E;QAC3E,MAAM,OAAO,GAAG,WAAW,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACpD,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,MAAM,SAAS,GAAG,OAAO,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,GAAG,CAAC,CAAC;QAC5C,KAAK,IAAI,EAAE,GAAG,SAAS,EAAE,EAAE,IAAI,OAAO,EAAE,EAAE,EAAE,EAAE,CAAC;YAC7C,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,wBAAwB;AAExB;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAgB,EAChB,QAAgD,EAChD,WAAqB,EACrB,gBAA2B;IAE3B,MAAM,OAAO,GAAiB,EAAE,CAAC;IAEjC,qFAAqF;IACrF,MAAM,OAAO,GAAG,aAAa,CAAC,QAAQ,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAC;IAEpE,wEAAwE;IACxE,MAAM,cAAc,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,CAAC;QAC7E,CAAC,CAAC,qBAAqB,CAAC,QAAQ,CAAC;QACjC,CAAC,CAAC,IAAI,GAAG,EAAU,CAAC;IAEtB,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC3D,KAAK,MAAM,QAAQ,IAAI,YAAY,CAAC,QAAQ,EAAE,iBAAiB,CAAC,EAAE,CAAC;YACjE,aAAa,CAAC,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;SAAM,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,KAAK,MAAM,QAAQ,IAAI,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;YACtD,iBAAiB,CAAC,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,KAAK,MAAM,OAAO,IAAI,OAAO,EAAE,CAAC;QAC9B,IAAI,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,OAAO,CAAC,sBAAsB,GAAG,IAAI,CAAC;YACtC,OAAO,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,GAAG,uCAAuC,CAAC;QACtF,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC1B,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACpC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAChC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/reporter/console.d.ts

@@ -0,0 +1,8 @@
+import type { ScanResult } from '../types/index.js';
+export interface ConsoleReporterOptions {
+    verbose: boolean;
+    noColor: boolean;
+    showFix: boolean;
+}
+export declare function reportConsole(result: ScanResult, options: ConsoleReporterOptions): void;
+//# sourceMappingURL=console.d.ts.map

package/dist/reporter/console.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"console.d.ts","sourceRoot":"","sources":["../../src/reporter/console.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,UAAU,EAAqB,MAAM,mBAAmB,CAAC;AA+HvE,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,wBAAgB,aAAa,CAAC,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,sBAAsB,GAAG,IAAI,CAuCvF"}