@trust-assurance-protocol/owaspscan 1.0.0

package/dist/reporter/console.js

@@ -0,0 +1,143 @@
+// ============================================================
+// Console Reporter — colored terminal output
+// ============================================================
+import chalk from 'chalk';
+import path from 'path';
+import { sortFindings } from '../utils/scoring.js';
+const SEVERITY_COLORS = {
+    CRITICAL: chalk.bgRed.white.bold,
+    HIGH: chalk.red.bold,
+    MEDIUM: chalk.yellow.bold,
+    LOW: chalk.blue,
+    INFO: chalk.gray,
+};
+const SEVERITY_ICONS = {
+    CRITICAL: '🔴',
+    HIGH: '🟠',
+    MEDIUM: '🟡',
+    LOW: '🔵',
+    INFO: '⚪',
+};
+function colorSeverity(severity) {
+    const color = SEVERITY_COLORS[severity];
+    return color(` ${severity} `);
+}
+function formatFinding(finding, showFix, noColor) {
+    const lines = [];
+    const relPath = path.relative(process.cwd(), finding.filePath);
+    const location = noColor
+        ? `${relPath}:${finding.line}:${finding.column}`
+        : chalk.cyan(`${relPath}:${finding.line}:${finding.column}`);
+    const severity = noColor
+        ? `[${finding.severity}]`
+        : colorSeverity(finding.severity);
+    const icon = SEVERITY_ICONS[finding.severity];
+    lines.push('');
+    lines.push(`${icon} ${severity} ${noColor ? finding.ruleId : chalk.dim(finding.ruleId)}`);
+    lines.push(`   ${noColor ? finding.ruleName : chalk.bold(finding.ruleName)}`);
+    lines.push(`   ${location}`);
+    lines.push(`   OWASP: ${finding.owasp} | CWE: ${finding.cwe}`);
+    // Detection method and confidence
+    const methodLabel = {
+        ast: 'AST', taint: 'AST-Taint', regex: 'Regex', llm: 'AI-Verified',
+    };
+    const methodText = methodLabel[finding.analysisMethod] ?? finding.analysisMethod;
+    const confStyle = finding.confidence === 'HIGH' ? chalk.green
+        : finding.confidence === 'MEDIUM' ? chalk.yellow
+            : chalk.gray;
+    const detectionTag = noColor
+        ? `[${methodText} · ${finding.confidence}]`
+        : confStyle(`[${methodText} · ${finding.confidence}]`);
+    lines.push(`   Detection: ${detectionTag}`);
+    if (finding.snippet) {
+        const snippetLines = finding.snippet.split('\n');
+        const codeBlock = snippetLines.map((l) => `   │ ${l}`).join('\n');
+        lines.push('');
+        lines.push(noColor ? codeBlock : chalk.gray(codeBlock));
+    }
+    if (showFix && finding.taintPath && finding.taintPath.length > 0) {
+        lines.push('');
+        lines.push(noColor ? '   Taint Path:' : chalk.cyan('   Taint Path:'));
+        finding.taintPath.forEach((step, i) => lines.push(`     ${i + 1}. ${step}`));
+    }
+    if (showFix) {
+        lines.push('');
+        lines.push(noColor ? '   Fix:' : chalk.green('   Fix:'));
+        const fixLines = finding.fix.split('\n').slice(0, 8);
+        fixLines.forEach((l) => lines.push(`   ${l}`));
+        lines.push('');
+        lines.push(noColor ? '   References:' : chalk.dim('   References:'));
+        finding.references.slice(0, 2).forEach((r) => lines.push(`   ${r}`));
+    }
+    return lines.join('\n');
+}
+function printSummaryBar(result, noColor) {
+    const { findingsBySeverity, securityScore, totalFiles, totalFindings, scanDurationMs } = result;
+    const scoreColor = securityScore >= 80
+        ? chalk.green
+        : securityScore >= 50
+            ? chalk.yellow
+            : chalk.red;
+    const score = noColor
+        ? `Score: ${securityScore}/100`
+        : scoreColor(`Score: ${securityScore}/100`);
+    process.stdout.write('\n');
+    process.stdout.write('─'.repeat(60) + '\n');
+    process.stdout.write(`OWASPScan Results — ${score}\n`);
+    process.stdout.write('─'.repeat(60) + '\n');
+    process.stdout.write(`Files scanned:  ${totalFiles}\n`);
+    process.stdout.write(`Total findings: ${totalFindings}\n`);
+    process.stdout.write(`Scan duration:  ${scanDurationMs}ms\n`);
+    process.stdout.write('\n');
+    const severities = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'];
+    for (const sev of severities) {
+        const count = findingsBySeverity[sev];
+        if (count > 0) {
+            const label = noColor ? `[${sev}]` : colorSeverity(sev);
+            process.stdout.write(`  ${label}  ${count} finding${count !== 1 ? 's' : ''}\n`);
+        }
+    }
+    process.stdout.write('\n');
+    if (result.passed) {
+        const msg = noColor ? 'PASSED' : chalk.green.bold('✓ PASSED');
+        process.stdout.write(`Status: ${msg}\n`);
+    }
+    else {
+        const msg = noColor ? 'FAILED' : chalk.red.bold('✗ FAILED');
+        process.stdout.write(`Status: ${msg} — findings at or above threshold detected\n`);
+    }
+    process.stdout.write('─'.repeat(60) + '\n');
+}
+export function reportConsole(result, options) {
+    if (options.noColor) {
+        // Disable chalk colors
+        process.env['FORCE_COLOR'] = '0';
+    }
+    const allFindings = result.files.flatMap((f) => f.findings);
+    const sorted = sortFindings(allFindings);
+    if (sorted.length === 0) {
+        printSummaryBar(result, options.noColor);
+        process.stdout.write('\nNo security issues found. Great work!\n\n');
+        return;
+    }
+    // Group findings by file for cleaner output
+    const byFile = new Map();
+    for (const finding of sorted) {
+        const existing = byFile.get(finding.filePath) ?? [];
+        existing.push(finding);
+        byFile.set(finding.filePath, existing);
+    }
+    process.stdout.write('\n');
+    for (const [filePath, findings] of byFile) {
+        const relPath = path.relative(process.cwd(), filePath);
+        const header = options.noColor
+            ? `\n=== ${relPath} (${findings.length} findings) ===`
+            : chalk.bold(`\n=== ${chalk.cyan(relPath)} (${findings.length} findings) ===`);
+        process.stdout.write(header + '\n');
+        for (const finding of findings) {
+            process.stdout.write(formatFinding(finding, options.verbose || options.showFix, options.noColor) + '\n');
+        }
+    }
+    printSummaryBar(result, options.noColor);
+}
+//# sourceMappingURL=console.js.map

package/dist/reporter/console.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"console.js","sourceRoot":"","sources":["../../src/reporter/console.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,6CAA6C;AAC7C,+DAA+D;AAE/D,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAInD,MAAM,eAAe,GAAoC;IACvD,QAAQ,EAAE,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI;IAChC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI;IACpB,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI;IACzB,GAAG,EAAE,KAAK,CAAC,IAAI;IACf,IAAI,EAAE,KAAK,CAAC,IAAI;CACjB,CAAC;AAEF,MAAM,cAAc,GAA6B;IAC/C,QAAQ,EAAE,IAAI;IACd,IAAI,EAAE,IAAI;IACV,MAAM,EAAE,IAAI;IACZ,GAAG,EAAE,IAAI;IACT,IAAI,EAAE,GAAG;CACV,CAAC;AAEF,SAAS,aAAa,CAAC,QAAkB;IACvC,MAAM,KAAK,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IACxC,OAAO,KAAK,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,aAAa,CAAC,OAAgB,EAAE,OAAgB,EAAE,OAAgB;IACzE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC/D,MAAM,QAAQ,GAAG,OAAO;QACtB,CAAC,CAAC,GAAG,OAAO,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE;QAChD,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE/D,MAAM,QAAQ,GAAG,OAAO;QACtB,CAAC,CAAC,IAAI,OAAO,CAAC,QAAQ,GAAG;QACzB,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,IAAI,GAAG,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE9C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,QAAQ,IAAI,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAC1F,KAAK,CAAC,IAAI,CAAC,MAAM,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAC9E,KAAK,CAAC,IAAI,CAAC,MAAM,QAAQ,EAAE,CAAC,CAAC;IAC7B,KAAK,CAAC,IAAI,CAAC,aAAa,OAAO,CAAC,KAAK,WAAW,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAE/D,kCAAkC;IAClC,MAAM,WAAW,GAA2B;QAC1C,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,aAAa;KACnE,CAAC;IACF,MAAM,UAAU,GAAG,WAAW,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,cAAc,CAAC;IACjF,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK;QAC3D,CAAC,CAAC,OAAO,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM;YAChD,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC;IACf,MAAM,YAAY,GAAG,OAAO;QAC1B,CAAC,CAAC,IAAI,UAAU,MAAM,OAAO,CAAC,UAAU,GAAG;QAC3C,CAAC,CAAC,SAAS,CAAC,IAAI,UAAU,MAAM,OAAO,CAAC,UAAU,GAAG,CAAC,CAAC;IACzD,KAAK,CAAC,IAAI,CAAC,iBAAiB,YAAY,EAAE,CAAC,CAAC;IAE5C,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACjD,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,IAAI,OAAO,IAAI,OAAO,CAAC,SAAS,IAAI,OAAO,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;QACtE,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,CAAC;IAC/E,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC;QACzD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACrD,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;QAC/C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC;QACrE,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;IACvE,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,eAAe,CAAC,MAAkB,EAAE,OAAgB;IAC3D,MAAM,EAAE,kBAAkB,EAAE,aAAa,EAAE,UAAU,EAAE,aAAa,EAAE,cAAc,EAAE,GAAG,MAAM,CAAC;IAEhG,MAAM,UAAU,GAAG,aAAa,IAAI,EAAE;QACpC,CAAC,CAAC,KAAK,CAAC,KAAK;QACb,CAAC,CAAC,aAAa,IAAI,EAAE;YACnB,CAAC,CAAC,KAAK,CAAC,MAAM;YACd,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;IAEhB,MAAM,KAAK,GAAG,OAAO;QACnB,CAAC,CAAC,UAAU,aAAa,MAAM;QAC/B,CAAC,CAAC,UAAU,CAAC,UAAU,aAAa,MAAM,CAAC,CAAC;IAE9C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;IAC5C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,KAAK,IAAI,CAAC,CAAC;IACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;IAC5C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,UAAU,IAAI,CAAC,CAAC;IACxD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,aAAa,IAAI,CAAC,CAAC;IAC3D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,cAAc,MAAM,CAAC,CAAC;IAC9D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE3B,MAAM,UAAU,GAAe,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC7E,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YACd,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;YACxD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,KAAK,KAAK,KAAK,WAAW,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE3B,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC9D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC,CAAC;IAC3C,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC5D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,GAAG,8CAA8C,CAAC,CAAC;IACrF,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;AAC9C,CAAC;AAQD,MAAM,UAAU,aAAa,CAAC,MAAkB,EAAE,OAA+B;IAC/E,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,uBAAuB;QACvB,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;IACnC,CAAC;IAED,MAAM,WAAW,GAAc,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IACvE,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,CAAC,CAAC;IAEzC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QACzC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;QACpE,OAAO;IACT,CAAC;IAED,4CAA4C;IAC5C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,KAAK,MAAM,OAAO,IAAI,MAAM,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;QACpD,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACvB,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACzC,CAAC;IAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC3B,KAAK,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,MAAM,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO;YAC5B,CAAC,CAAC,SAAS,OAAO,KAAK,QAAQ,CAAC,MAAM,gBAAgB;YACtD,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,MAAM,gBAAgB,CAAC,CAAC;QACjF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;QAEpC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,CACnF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;AAC3C,CAAC"}

package/dist/reporter/json.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from '../types/index.js';
+export declare function reportJson(result: ScanResult): string;
+//# sourceMappingURL=json.d.ts.map

package/dist/reporter/json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../src/reporter/json.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAEpD,wBAAgB,UAAU,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAErD"}

package/dist/reporter/json.js

@@ -0,0 +1,7 @@
+// ============================================================
+// JSON Reporter — machine-readable structured output
+// ============================================================
+export function reportJson(result) {
+    return JSON.stringify(result, null, 2);
+}
+//# sourceMappingURL=json.js.map

package/dist/reporter/json.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.js","sourceRoot":"","sources":["../../src/reporter/json.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,qDAAqD;AACrD,+DAA+D;AAI/D,MAAM,UAAU,UAAU,CAAC,MAAkB;IAC3C,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACzC,CAAC"}

package/dist/reporter/llm.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from '../types/index.js';
+export declare function reportLlm(result: ScanResult): string;
+//# sourceMappingURL=llm.d.ts.map

package/dist/reporter/llm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm.d.ts","sourceRoot":"","sources":["../../src/reporter/llm.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,UAAU,EAAqB,MAAM,mBAAmB,CAAC;AAuBvE,wBAAgB,SAAS,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAgDpD"}

package/dist/reporter/llm.js

@@ -0,0 +1,66 @@
+// ============================================================
+// LLM Reporter — compact format optimized for AI agent consumption
+// Significantly smaller than JSON/SARIF — efficient for context windows
+// ============================================================
+import path from 'path';
+const SEV_SHORT = {
+    CRITICAL: 'CRIT',
+    HIGH: 'HIGH',
+    MEDIUM: 'MED',
+    LOW: 'LOW',
+    INFO: 'INFO',
+};
+function formatFindingCompact(f) {
+    const relPath = path.relative(process.cwd(), f.filePath);
+    return [
+        `[${SEV_SHORT[f.severity]}] ${f.ruleId} @ ${relPath}:${f.line}`,
+        `OWASP:${f.owasp} CWE:${f.cwe}`,
+        `MSG: ${f.ruleName}`,
+        `CODE: ${f.snippet.split('\n')[0]?.trim().slice(0, 100) ?? ''}`,
+        `FIX: ${f.fix.split('\n')[0]?.trim().slice(0, 120) ?? ''}`,
+        `REF: ${f.references[0] ?? ''}`,
+    ].join('\n');
+}
+export function reportLlm(result) {
+    const allFindings = result.files.flatMap((f) => f.findings);
+    const header = [
+        `OWASPSCAN_RESULT score=${result.securityScore}/100 findings=${result.totalFindings} files=${result.totalFiles}`,
+        `severity_summary: CRIT=${result.findingsBySeverity.CRITICAL} HIGH=${result.findingsBySeverity.HIGH} MED=${result.findingsBySeverity.MEDIUM} LOW=${result.findingsBySeverity.LOW}`,
+        `status: ${result.passed ? 'PASSED' : 'FAILED'}`,
+        `scanned: ${result.timestamp}`,
+        '---',
+    ].join('\n');
+    if (allFindings.length === 0) {
+        return `${header}\nNO_FINDINGS — code passed all OWASP security checks.`;
+    }
+    // Group by severity to highlight critical first
+    const bySeverity = {
+        CRITICAL: [],
+        HIGH: [],
+        MEDIUM: [],
+        LOW: [],
+        INFO: [],
+    };
+    for (const f of allFindings) {
+        bySeverity[f.severity].push(f);
+    }
+    const sections = [header];
+    const order = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'];
+    for (const sev of order) {
+        const findings = bySeverity[sev];
+        if (findings.length === 0)
+            continue;
+        sections.push(`\n### ${sev} FINDINGS (${findings.length})`);
+        for (const f of findings) {
+            sections.push(formatFindingCompact(f));
+            sections.push('---');
+        }
+    }
+    // Category breakdown
+    sections.push('\n### CATEGORY_BREAKDOWN');
+    for (const [category, count] of Object.entries(result.findingsByCategory)) {
+        sections.push(`${category}: ${count}`);
+    }
+    return sections.join('\n');
+}
+//# sourceMappingURL=llm.js.map

package/dist/reporter/llm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm.js","sourceRoot":"","sources":["../../src/reporter/llm.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,mEAAmE;AACnE,wEAAwE;AACxE,+DAA+D;AAG/D,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,MAAM,SAAS,GAA6B;IAC1C,QAAQ,EAAE,MAAM;IAChB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,KAAK;IACb,GAAG,EAAE,KAAK;IACV,IAAI,EAAE,MAAM;CACb,CAAC;AAEF,SAAS,oBAAoB,CAAC,CAAU;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;IACzD,OAAO;QACL,IAAI,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,MAAM,MAAM,OAAO,IAAI,CAAC,CAAC,IAAI,EAAE;QAC/D,SAAS,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC,GAAG,EAAE;QAC/B,QAAQ,CAAC,CAAC,QAAQ,EAAE;QACpB,SAAS,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE;QAC/D,QAAQ,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE;QAC1D,QAAQ,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE;KAChC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,MAAkB;IAC1C,MAAM,WAAW,GAAc,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAEvE,MAAM,MAAM,GAAG;QACb,0BAA0B,MAAM,CAAC,aAAa,iBAAiB,MAAM,CAAC,aAAa,UAAU,MAAM,CAAC,UAAU,EAAE;QAChH,0BAA0B,MAAM,CAAC,kBAAkB,CAAC,QAAQ,SAAS,MAAM,CAAC,kBAAkB,CAAC,IAAI,QAAQ,MAAM,CAAC,kBAAkB,CAAC,MAAM,QAAQ,MAAM,CAAC,kBAAkB,CAAC,GAAG,EAAE;QAClL,WAAW,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;QAChD,YAAY,MAAM,CAAC,SAAS,EAAE;QAC9B,KAAK;KACN,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,GAAG,MAAM,wDAAwD,CAAC;IAC3E,CAAC;IAED,gDAAgD;IAChD,MAAM,UAAU,GAAgC;QAC9C,QAAQ,EAAE,EAAE;QACZ,IAAI,EAAE,EAAE;QACR,MAAM,EAAE,EAAE;QACV,GAAG,EAAE,EAAE;QACP,IAAI,EAAE,EAAE;KACT,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;QAC5B,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACjC,CAAC;IAED,MAAM,QAAQ,GAAa,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,KAAK,GAAe,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAExE,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QACpC,QAAQ,CAAC,IAAI,CAAC,SAAS,GAAG,cAAc,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAC5D,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,QAAQ,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC;YACvC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,QAAQ,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IAC1C,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC1E,QAAQ,CAAC,IAAI,CAAC,GAAG,QAAQ,KAAK,KAAe,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC"}

package/dist/reporter/sarif.d.ts

@@ -0,0 +1,3 @@
+import type { ScanResult } from '../types/index.js';
+export declare function reportSarif(result: ScanResult): string;
+//# sourceMappingURL=sarif.d.ts.map

package/dist/reporter/sarif.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/reporter/sarif.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,UAAU,EAAqB,MAAM,mBAAmB,CAAC;AA8GvE,wBAAgB,WAAW,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAkCtD"}

package/dist/reporter/sarif.js

@@ -0,0 +1,110 @@
+// ============================================================
+// SARIF Reporter — Static Analysis Results Interchange Format
+// Compatible with GitHub Code Scanning and GitLab SAST
+// https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+// ============================================================
+import { registry } from '../rules/registry.js';
+const SEVERITY_SARIF = {
+    CRITICAL: 'error',
+    HIGH: 'error',
+    MEDIUM: 'warning',
+    LOW: 'note',
+    INFO: 'none',
+};
+const SECURITY_SEVERITY_MAP = {
+    CRITICAL: '9.8',
+    HIGH: '7.5',
+    MEDIUM: '5.0',
+    LOW: '3.0',
+    INFO: '1.0',
+};
+function toSarifUri(filePath) {
+    // Convert absolute path to file:// URI
+    const normalized = filePath.replace(/\\/g, '/');
+    if (normalized.startsWith('/')) {
+        return `file://${normalized}`;
+    }
+    return `file:///${normalized}`;
+}
+function buildSarifRules() {
+    return registry.getAll().map((rule) => ({
+        id: rule.id,
+        name: rule.id.replace(/-/g, ''),
+        shortDescription: { text: rule.name },
+        fullDescription: { text: rule.description },
+        help: {
+            text: rule.fix,
+            markdown: `## ${rule.name}\n\n${rule.description}\n\n## Remediation\n\n\`\`\`\n${rule.fix}\n\`\`\``,
+        },
+        helpUri: rule.references[0] ?? 'https://owasp.org/Top10/',
+        properties: {
+            tags: [rule.owasp, rule.cwe, ...rule.tags],
+            security_severity: SECURITY_SEVERITY_MAP[rule.severity],
+            'problem.severity': SEVERITY_SARIF[rule.severity],
+            precision: 'medium',
+        },
+    }));
+}
+function buildSarifResult(finding) {
+    const result = {
+        ruleId: finding.ruleId,
+        level: SEVERITY_SARIF[finding.severity],
+        message: {
+            text: `${finding.ruleName}\n\nOWASP: ${finding.owasp} | ${finding.cwe}\n\n${finding.message}`,
+        },
+        locations: [
+            {
+                physicalLocation: {
+                    artifactLocation: {
+                        uri: toSarifUri(finding.filePath),
+                    },
+                    region: {
+                        startLine: finding.line,
+                        startColumn: finding.column,
+                    },
+                },
+            },
+        ],
+        fingerprints: {
+            'primaryLocationLineHash/v1': `${finding.ruleId}:${finding.filePath}:${finding.line}`,
+        },
+        properties: {
+            confidence: finding.confidence,
+            analysisMethod: finding.analysisMethod,
+            ...(finding.taintPath ? { taintPath: finding.taintPath } : {}),
+        },
+    };
+    return result;
+}
+export function reportSarif(result) {
+    const allFindings = result.files.flatMap((f) => f.findings);
+    const sarif = {
+        $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+        version: '2.1.0',
+        runs: [
+            {
+                tool: {
+                    driver: {
+                        name: 'OWASPScan',
+                        version: '1.0.0',
+                        informationUri: 'https://github.com/owaspscan/owaspscan',
+                        rules: buildSarifRules(),
+                    },
+                },
+                results: allFindings.map(buildSarifResult),
+                invocations: [
+                    {
+                        executionSuccessful: true,
+                        startTimeUtc: result.timestamp,
+                        endTimeUtc: new Date(new Date(result.timestamp).getTime() + result.scanDurationMs).toISOString(),
+                    },
+                ],
+                automationDetails: {
+                    id: result.scanId,
+                },
+            },
+        ],
+    };
+    return JSON.stringify(sarif, null, 2);
+}
+//# sourceMappingURL=sarif.js.map

package/dist/reporter/sarif.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/reporter/sarif.ts"],"names":[],"mappings":"AAAA,+DAA+D;AAC/D,8DAA8D;AAC9D,uDAAuD;AACvD,mEAAmE;AACnE,+DAA+D;AAG/D,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAEhD,MAAM,cAAc,GAA6B;IAC/C,QAAQ,EAAE,OAAO;IACjB,IAAI,EAAE,OAAO;IACb,MAAM,EAAE,SAAS;IACjB,GAAG,EAAE,MAAM;IACX,IAAI,EAAE,MAAM;CACb,CAAC;AAgCF,MAAM,qBAAqB,GAA6B;IACtD,QAAQ,EAAE,KAAK;IACf,IAAI,EAAE,KAAK;IACX,MAAM,EAAE,KAAK;IACb,GAAG,EAAE,KAAK;IACV,IAAI,EAAE,KAAK;CACZ,CAAC;AAEF,SAAS,UAAU,CAAC,QAAgB;IAClC,uCAAuC;IACvC,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAChD,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,UAAU,UAAU,EAAE,CAAC;IAChC,CAAC;IACD,OAAO,WAAW,UAAU,EAAE,CAAC;AACjC,CAAC;AAED,SAAS,eAAe;IACtB,OAAO,QAAQ,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QACtC,EAAE,EAAE,IAAI,CAAC,EAAE;QACX,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QAC/B,gBAAgB,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QACrC,eAAe,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,WAAW,EAAE;QAC3C,IAAI,EAAE;YACJ,IAAI,EAAE,IAAI,CAAC,GAAG;YACd,QAAQ,EAAE,MAAM,IAAI,CAAC,IAAI,OAAO,IAAI,CAAC,WAAW,iCAAiC,IAAI,CAAC,GAAG,UAAU;SACpG;QACD,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,0BAA0B;QACzD,UAAU,EAAE;YACV,IAAI,EAAE,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,IAAI,CAAC;YAC1C,iBAAiB,EAAE,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC;YACvD,kBAAkB,EAAE,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC;YACjD,SAAS,EAAE,QAAQ;SACpB;KACF,CAAC,CAAC,CAAC;AACN,CAAC;AAED,SAAS,gBAAgB,CAAC,OAAgB;IACxC,MAAM,MAAM,GAA2D;QACrE,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC;QACvC,OAAO,EAAE;YACP,IAAI,EAAE,GAAG,OAAO,CAAC,QAAQ,cAAc,OAAO,CAAC,KAAK,MAAM,OAAO,CAAC,GAAG,OAAO,OAAO,CAAC,OAAO,EAAE;SAC9F;QACD,SAAS,EAAE;YACT;gBACE,gBAAgB,EAAE;oBAChB,gBAAgB,EAAE;wBAChB,GAAG,EAAE,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC;qBAClC;oBACD,MAAM,EAAE;wBACN,SAAS,EAAE,OAAO,CAAC,IAAI;wBACvB,WAAW,EAAE,OAAO,CAAC,MAAM;qBAC5B;iBACF;aACF;SACF;QACD,YAAY,EAAE;YACZ,4BAA4B,EAAE,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE;SACtF;QACD,UAAU,EAAE;YACV,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/D;KACF,CAAC;IACF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,MAAkB;IAC5C,MAAM,WAAW,GAAc,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAEvE,MAAM,KAAK,GAAG;QACZ,OAAO,EAAE,gGAAgG;QACzG,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE;YACJ;gBACE,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,WAAW;wBACjB,OAAO,EAAE,OAAO;wBAChB,cAAc,EAAE,wCAAwC;wBACxD,KAAK,EAAE,eAAe,EAAE;qBACzB;iBACF;gBACD,OAAO,EAAE,WAAW,CAAC,GAAG,CAAC,gBAAgB,CAAC;gBAC1C,WAAW,EAAE;oBACX;wBACE,mBAAmB,EAAE,IAAI;wBACzB,YAAY,EAAE,MAAM,CAAC,SAAS;wBAC9B,UAAU,EAAE,IAAI,IAAI,CAClB,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,cAAc,CAC7D,CAAC,WAAW,EAAE;qBAChB;iBACF;gBACD,iBAAiB,EAAE;oBACjB,EAAE,EAAE,MAAM,CAAC,MAAM;iBAClB;aACF;SACF;KACF,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACxC,CAAC"}

package/dist/rules/owasp-a01/idor.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const InsecureDirectObjectRef: Rule;
+//# sourceMappingURL=idor.d.ts.map

package/dist/rules/owasp-a01/idor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"idor.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a01/idor.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,uBAAuB,EAAE,IAmDrC,CAAC"}

package/dist/rules/owasp-a01/idor.js

@@ -0,0 +1,48 @@
+// OWASP A01:2021 — Broken Access Control
+// Rule: Insecure Direct Object Reference (IDOR)
+export const InsecureDirectObjectRef = {
+    id: 'OWASP-A01-003',
+    name: 'Insecure Direct Object Reference (IDOR)',
+    owasp: 'A01:2021',
+    cwe: 'CWE-639',
+    severity: 'HIGH',
+    languages: ['javascript', 'typescript', 'python', 'php', 'java', 'ruby'],
+    description: 'Database queries using user-supplied IDs without verifying that the requesting ' +
+        'user owns or is authorized to access the resource. Attackers enumerate IDs to ' +
+        'access other users\' data. AI tools commonly generate findById(req.params.id) without ownership checks.',
+    patterns: [
+        {
+            // DB queries using req.params.id directly — without ownership check
+            pattern: /(?:findById|findOne|findByPk|findByIdAndUpdate|findByIdAndDelete|findByIdAndRemove|getById|fetchById)\s*\(\s*req\s*\.\s*params\s*\.\s*(?:id|userId|orderId|accountId|fileId)/gi,
+            suppressIf: /(?:req\.user\.id|currentUser|session\.userId|req\.userId|user_id\s*===?\s*req|\.userId\s*!==?\s*req|ownership|authorize|hasAccess|canAccess|isOwner)/i,
+            snippetLines: 5,
+        },
+        {
+            // Python ORM: Model.objects.get(id=request.GET['id']) style
+            pattern: /\.objects\.(?:get|filter)\s*\(\s*(?:id|pk|user_id)\s*=\s*request\.(?:GET|POST|data)\[/gi,
+            suppressIf: /(?:user=request\.user|owner=request\.user|request\.user\.id|user__id=request\.user)/i,
+            snippetLines: 5,
+        },
+        {
+            // Raw SQL with user ID: "WHERE id = " + req.params.id
+            pattern: /WHERE\s+id\s*=\s*['"$]?\s*\+\s*(?:req\.|request\.)(?:params|body|query)/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Always verify resource ownership before returning or modifying data.\n\n' +
+        '// Node.js / Mongoose example:\n' +
+        'const document = await Model.findOne({\n' +
+        '  _id: req.params.id,\n' +
+        '  owner: req.user.id, // ownership check — the querying user MUST own it\n' +
+        '});\n' +
+        'if (!document) return res.status(404).json({ error: "Not found" });\n\n' +
+        '// Django example:\n' +
+        'obj = get_object_or_404(Model, pk=pk, owner=request.user)',
+    references: [
+        'https://owasp.org/Top10/A01_2021-Broken_Access_Control/',
+        'https://cwe.mitre.org/data/definitions/639.html',
+        'https://portswigger.net/web-security/access-control/idor',
+    ],
+    tags: ['idor', 'access-control', 'authorization', 'database'],
+};
+//# sourceMappingURL=idor.js.map

package/dist/rules/owasp-a01/idor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"idor.js","sourceRoot":"","sources":["../../../src/rules/owasp-a01/idor.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,gDAAgD;AAIhD,MAAM,CAAC,MAAM,uBAAuB,GAAS;IAC3C,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,yCAAyC;IAC/C,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,SAAS;IACd,QAAQ,EAAE,MAAM;IAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;IACxE,WAAW,EACT,iFAAiF;QACjF,gFAAgF;QAChF,yGAAyG;IAC3G,QAAQ,EAAE;QACR;YACE,oEAAoE;YACpE,OAAO,EACL,gLAAgL;YAClL,UAAU,EACR,uJAAuJ;YACzJ,YAAY,EAAE,CAAC;SAChB;QACD;YACE,4DAA4D;YAC5D,OAAO,EACL,yFAAyF;YAC3F,UAAU,EACR,sFAAsF;YACxF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,sDAAsD;YACtD,OAAO,EACL,2EAA2E;YAC7E,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,0EAA0E;QAC1E,kCAAkC;QAClC,0CAA0C;QAC1C,yBAAyB;QACzB,4EAA4E;QAC5E,OAAO;QACP,yEAAyE;QACzE,sBAAsB;QACtB,2DAA2D;IAC7D,UAAU,EAAE;QACV,yDAAyD;QACzD,iDAAiD;QACjD,0DAA0D;KAC3D;IACD,IAAI,EAAE,CAAC,MAAM,EAAE,gBAAgB,EAAE,eAAe,EAAE,UAAU,CAAC;CAC9D,CAAC"}

package/dist/rules/owasp-a01/missing-auth-middleware.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const MissingAuthMiddleware: Rule;
+//# sourceMappingURL=missing-auth-middleware.d.ts.map

package/dist/rules/owasp-a01/missing-auth-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-auth-middleware.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a01/missing-auth-middleware.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,qBAAqB,EAAE,IA2CnC,CAAC"}

package/dist/rules/owasp-a01/missing-auth-middleware.js

@@ -0,0 +1,41 @@
+// OWASP A01:2021 — Broken Access Control
+// Rule: Missing authentication/authorization middleware on routes
+export const MissingAuthMiddleware = {
+    id: 'OWASP-A01-001',
+    name: 'Missing Authentication Middleware on Route',
+    owasp: 'A01:2021',
+    cwe: 'CWE-862',
+    severity: 'HIGH',
+    languages: ['javascript', 'typescript'],
+    description: 'Route handler defined without an authentication or authorization middleware. ' +
+        'AI assistants frequently generate CRUD routes missing auth guards, leaving ' +
+        'sensitive endpoints publicly accessible.',
+    patterns: [
+        {
+            // Express-style: app.get/post/put/delete/patch('/sensitive-path', handler)
+            // without an auth middleware in between
+            pattern: /(?:app|router)\s*\.\s*(?:get|post|put|patch|delete|all)\s*\(\s*['"`][^'"`]*(?:admin|user|profile|account|dashboard|settings|payment|order|invoice|secret|private|internal|api\/v\d)[^'"`]*['"`]\s*,\s*(?:async\s*)?\(\s*req/gi,
+            suppressIf: /(?:authenticate|authorize|requireAuth|isAuthenticated|verifyToken|checkAuth|passport\.authenticate|authMiddleware|protect|guard|requireLogin|isAdmin|hasRole|permit|acl|rbac)\s*(?:,|\()/i,
+            snippetLines: 3,
+        },
+        {
+            // FastAPI/Flask-style missing auth decorator on sensitive routes
+            pattern: /@(?:app|router)\.(?:get|post|put|patch|delete)\s*\(\s*['"`][^'"`]*(?:admin|user|profile|account|dashboard|settings|payment|order|secret|private|internal)[^'"`]*['"`]/gi,
+            suppressIf: /(?:Depends\s*\(|@login_required|@auth_required|@permission_required|requires_auth|get_current_user|current_user)/i,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Add authentication middleware before your route handler.\n\n' +
+        '// Express example:\n' +
+        'app.get("/api/users", authenticate, authorize("admin"), async (req, res) => { ... });\n\n' +
+        '// FastAPI example:\n' +
+        '@router.get("/users")\n' +
+        'async def get_users(current_user: User = Depends(get_current_user)):\n' +
+        '    ...',
+    references: [
+        'https://owasp.org/Top10/A01_2021-Broken_Access_Control/',
+        'https://cwe.mitre.org/data/definitions/862.html',
+    ],
+    tags: ['access-control', 'authorization', 'middleware', 'routing'],
+};
+//# sourceMappingURL=missing-auth-middleware.js.map

package/dist/rules/owasp-a01/missing-auth-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-auth-middleware.js","sourceRoot":"","sources":["../../../src/rules/owasp-a01/missing-auth-middleware.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,kEAAkE;AAIlE,MAAM,CAAC,MAAM,qBAAqB,GAAS;IACzC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,4CAA4C;IAClD,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,SAAS;IACd,QAAQ,EAAE,MAAM;IAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;IACvC,WAAW,EACT,+EAA+E;QAC/E,6EAA6E;QAC7E,0CAA0C;IAC5C,QAAQ,EAAE;QACR;YACE,2EAA2E;YAC3E,wCAAwC;YACxC,OAAO,EACL,+NAA+N;YACjO,UAAU,EACR,2LAA2L;YAC7L,YAAY,EAAE,CAAC;SAChB;QACD;YACE,iEAAiE;YACjE,OAAO,EACL,yKAAyK;YAC3K,UAAU,EACR,mHAAmH;YACrH,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,8DAA8D;QAC9D,uBAAuB;QACvB,2FAA2F;QAC3F,uBAAuB;QACvB,yBAAyB;QACzB,wEAAwE;QACxE,SAAS;IACX,UAAU,EAAE;QACV,yDAAyD;QACzD,iDAAiD;KAClD;IACD,IAAI,EAAE,CAAC,gBAAgB,EAAE,eAAe,EAAE,YAAY,EAAE,SAAS,CAAC;CACnE,CAAC"}

package/dist/rules/owasp-a01/path-traversal.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const PathTraversal: Rule;
+//# sourceMappingURL=path-traversal.d.ts.map

package/dist/rules/owasp-a01/path-traversal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-traversal.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a01/path-traversal.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,aAAa,EAAE,IA8E3B,CAAC"}

package/dist/rules/owasp-a01/path-traversal.js

@@ -0,0 +1,73 @@
+// OWASP A01:2021 — Broken Access Control
+// Rule: Path Traversal via unsanitized user input to file operations
+export const PathTraversal = {
+    id: 'OWASP-A01-002',
+    name: 'Path Traversal via Unsanitized User Input',
+    owasp: 'A01:2021',
+    cwe: 'CWE-22',
+    severity: 'CRITICAL',
+    languages: ['javascript', 'typescript', 'python', 'php', 'java', 'go', 'ruby'],
+    description: 'File system operations (read, write, delete) using user-controlled input without ' +
+        'path sanitization allow attackers to traverse directories (e.g., ../../../../etc/passwd). ' +
+        'AI tools commonly generate fs.readFile(req.params.file) style code.',
+    patterns: [
+        {
+            // Node.js: fs operations with req.body/params/query (direct)
+            pattern: /(?:fs|fsPromises|promises)\s*\.\s*(?:readFile|readFileSync|writeFile|writeFileSync|appendFile|unlink|rmdir|mkdir|stat|access|open)\s*\(\s*(?:req\.|request\.)(?:body|params|query|headers)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Node.js: fs operations with string concat including user input
+            pattern: /(?:fs|fsPromises|promises)\s*\.\s*(?:readFile|readFileSync|writeFile|writeFileSync|appendFile|unlink|stat|access|open)\s*\([^\n]*\+\s*(?:req\.|request\.)(?:body|params|query)/gi,
+            snippetLines: 3,
+        },
+        {
+            // path.join/resolve with user input
+            pattern: /path\s*\.\s*(?:join|resolve)\s*\([^)]*(?:req\.|request\.)(?:body|params|query)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python: open() with user input
+            pattern: /open\s*\(\s*(?:request\.|req\.)(?:args|form|json|data|params|files)\[/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python: os.path operations with user input
+            pattern: /os\.path\.(?:join|abspath|realpath)\s*\([^)]*(?:request\.|req\.)(?:args|form|json|data)/gi,
+            snippetLines: 3,
+        },
+        {
+            // PHP: file operations with $_GET/$_POST/$_REQUEST
+            pattern: /(?:file_get_contents|fopen|readfile|include|require|include_once|require_once)\s*\(\s*\$_(?:GET|POST|REQUEST|FILES)\s*\[/gi,
+            snippetLines: 3,
+        },
+        {
+            // Generic: string concatenation to build file paths with user input
+            pattern: /(?:__dirname|__filename|process\.cwd\(\)|os\.getcwd\(\))\s*\+\s*.*(?:req\.|request\.)(?:body|params|query)/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Always sanitize file paths from user input. Resolve to a canonical path and verify it stays within the allowed base directory.\n\n' +
+        '// Node.js example:\n' +
+        'import path from "path";\n' +
+        'const BASE_DIR = path.resolve("./uploads");\n' +
+        'const userFile = req.params.filename;\n' +
+        'const resolved = path.resolve(BASE_DIR, path.basename(userFile)); // basename strips ../\n' +
+        'if (!resolved.startsWith(BASE_DIR)) {\n' +
+        '  return res.status(400).send("Invalid file path");\n' +
+        '}\n' +
+        'const content = await fs.readFile(resolved, "utf8");\n\n' +
+        '// Python example:\n' +
+        'import os\n' +
+        'BASE_DIR = os.path.abspath("./uploads")\n' +
+        'safe_path = os.path.realpath(os.path.join(BASE_DIR, filename))\n' +
+        'if not safe_path.startswith(BASE_DIR):\n' +
+        '    raise ValueError("Path traversal detected")',
+    references: [
+        'https://owasp.org/Top10/A01_2021-Broken_Access_Control/',
+        'https://cwe.mitre.org/data/definitions/22.html',
+        'https://owasp.org/www-community/attacks/Path_Traversal',
+    ],
+    tags: ['path-traversal', 'file-system', 'injection', 'access-control'],
+};
+//# sourceMappingURL=path-traversal.js.map

package/dist/rules/owasp-a01/path-traversal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-traversal.js","sourceRoot":"","sources":["../../../src/rules/owasp-a01/path-traversal.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,qEAAqE;AAIrE,MAAM,CAAC,MAAM,aAAa,GAAS;IACjC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,2CAA2C;IACjD,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,QAAQ;IACb,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC;IAC9E,WAAW,EACT,mFAAmF;QACnF,4FAA4F;QAC5F,qEAAqE;IACvE,QAAQ,EAAE;QACR;YACE,6DAA6D;YAC7D,OAAO,EACL,8LAA8L;YAChM,YAAY,EAAE,CAAC;SAChB;QACD;YACE,iEAAiE;YACjE,OAAO,EACL,kLAAkL;YACpL,YAAY,EAAE,CAAC;SAChB;QACD;YACE,oCAAoC;YACpC,OAAO,EACL,kFAAkF;YACpF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,iCAAiC;YACjC,OAAO,EACL,yEAAyE;YAC3E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,6CAA6C;YAC7C,OAAO,EACL,2FAA2F;YAC7F,YAAY,EAAE,CAAC;SAChB;QACD;YACE,mDAAmD;YACnD,OAAO,EACL,4HAA4H;YAC9H,YAAY,EAAE,CAAC;SAChB;QACD;YACE,oEAAoE;YACpE,OAAO,EACL,8GAA8G;YAChH,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,oIAAoI;QACpI,uBAAuB;QACvB,4BAA4B;QAC5B,+CAA+C;QAC/C,yCAAyC;QACzC,4FAA4F;QAC5F,yCAAyC;QACzC,uDAAuD;QACvD,KAAK;QACL,0DAA0D;QAC1D,sBAAsB;QACtB,aAAa;QACb,2CAA2C;QAC3C,kEAAkE;QAClE,0CAA0C;QAC1C,iDAAiD;IACnD,UAAU,EAAE;QACV,yDAAyD;QACzD,gDAAgD;QAChD,wDAAwD;KACzD;IACD,IAAI,EAAE,CAAC,gBAAgB,EAAE,aAAa,EAAE,WAAW,EAAE,gBAAgB,CAAC;CACvE,CAAC"}

package/dist/rules/owasp-a02/hardcoded-secrets.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const HardcodedSecrets: Rule;
+//# sourceMappingURL=hardcoded-secrets.d.ts.map

package/dist/rules/owasp-a02/hardcoded-secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hardcoded-secrets.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a02/hardcoded-secrets.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,gBAAgB,EAAE,IAwG9B,CAAC"}