@trust-assurance-protocol/owaspscan 1.0.0

package/dist/rules/owasp-a03/sql-injection.js

@@ -0,0 +1,88 @@
+// OWASP A03:2021 — Injection
+// Rule: SQL Injection via string concatenation or template literals
+export const SqlInjection = {
+    id: 'OWASP-A03-001',
+    name: 'SQL Injection via String Concatenation or Template Literal',
+    owasp: 'A03:2021',
+    cwe: 'CWE-89',
+    severity: 'CRITICAL',
+    languages: ['javascript', 'typescript', 'python', 'php', 'java', 'ruby', 'go', 'csharp'],
+    description: 'SQL query built by concatenating or interpolating user-controlled input. ' +
+        'Attackers can break out of the query string and execute arbitrary SQL commands, ' +
+        'reading, modifying, or deleting any data in the database. ' +
+        'The #1 most common AI-generated security bug — AI assistants use string concat for convenience.',
+    patterns: [
+        {
+            // SQL keyword in a string concatenated with user input — broad pattern
+            pattern: /(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|WHERE|UNION)\b[^\n]{0,200}\+[^\n]{0,100}(?:req\.|request\.)(?:params|body|query)\b/gi,
+            snippetLines: 3,
+        },
+        {
+            // db/client.query with concat directly
+            pattern: /(?:db|pool|client|conn|connection)\s*\.\s*(?:query|execute|run|exec)\s*\([^\n]*\+[^\n]*(?:req\.|request\.)(?:params|body|query)\b/gi,
+            snippetLines: 3,
+        },
+        {
+            // Template literal SQL with user input (JS/TS)
+            pattern: /`\s*(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|WHERE|UNION)\b[^`]*\$\{[^}]*(?:req\.|request\.|params\.|query\.|body\.|user\.|input\.|data\.)/gi,
+            snippetLines: 3,
+        },
+        {
+            // db.query/execute/run with string concat (JS/TS)
+            pattern: /(?:db|conn|pool|client|connection|knex)\s*\.\s*(?:query|execute|run|exec|raw)\s*\(\s*['"`][^'"`]*['"`]\s*\+/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python: cursor.execute with format string or % operator
+            pattern: /cursor\s*\.\s*execute\s*\(\s*['"`][^'"`]*(?:SELECT|INSERT|UPDATE|DELETE|WHERE)[^'"`]*['"`]\s*%\s*(?:request\.|req\.)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python: f-string SQL
+            pattern: /cursor\s*\.\s*execute\s*\(\s*f['"`][^'"`]*(?:SELECT|INSERT|UPDATE|DELETE|WHERE)[^'"`]*\{[^}]*(?:request\.|req\.)/gi,
+            snippetLines: 3,
+        },
+        {
+            // PHP: mysql_query / mysqli_query with string concat
+            pattern: /(?:mysql_query|mysqli_query|pg_query)\s*\(\s*[^,]*['"`][^'"`]*(?:SELECT|INSERT|UPDATE|DELETE)[^'"`]*['"`]\s*\./gi,
+            snippetLines: 3,
+        },
+        {
+            // Java: Statement.executeQuery with string concat
+            pattern: /(?:stmt|statement|conn)\s*\.\s*execute(?:Query|Update)?\s*\(\s*['"`][^'"`]*['"`]\s*\+/gi,
+            snippetLines: 3,
+        },
+        {
+            // Go: db.Query with Sprintf
+            pattern: /(?:db|tx)\s*\.\s*(?:Query|Exec|QueryRow)\s*\(\s*fmt\.Sprintf\s*\(\s*['"`][^'"`]*(?:SELECT|INSERT|UPDATE|DELETE|WHERE)/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'ALWAYS use parameterized queries (prepared statements) — never concatenate user input into SQL.\n\n' +
+        '// Node.js + mysql2:\n' +
+        'const [rows] = await db.query(\n' +
+        '  "SELECT * FROM users WHERE id = ? AND email = ?",\n' +
+        '  [req.params.id, req.body.email] // parameters passed separately\n' +
+        ');\n\n' +
+        '// Node.js + pg:\n' +
+        'const result = await client.query(\n' +
+        '  "SELECT * FROM users WHERE id = $1",\n' +
+        '  [req.params.id]\n' +
+        ');\n\n' +
+        '// Python:\n' +
+        'cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))\n\n' +
+        '// PHP + PDO:\n' +
+        '$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");\n' +
+        '$stmt->execute([$_GET["id"]]);\n\n' +
+        '// Java:\n' +
+        'PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE id = ?");\n' +
+        'ps.setInt(1, userId);',
+    references: [
+        'https://owasp.org/Top10/A03_2021-Injection/',
+        'https://cwe.mitre.org/data/definitions/89.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html',
+        'https://portswigger.net/web-security/sql-injection',
+    ],
+    tags: ['injection', 'sql', 'database', 'sqli'],
+};
+//# sourceMappingURL=sql-injection.js.map

package/dist/rules/owasp-a03/sql-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql-injection.js","sourceRoot":"","sources":["../../../src/rules/owasp-a03/sql-injection.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAC7B,oEAAoE;AAIpE,MAAM,CAAC,MAAM,YAAY,GAAS;IAChC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,4DAA4D;IAClE,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,QAAQ;IACb,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC;IACxF,WAAW,EACT,2EAA2E;QAC3E,kFAAkF;QAClF,4DAA4D;QAC5D,iGAAiG;IACnG,QAAQ,EAAE;QACR;YACE,uEAAuE;YACvE,OAAO,EACL,gIAAgI;YAClI,YAAY,EAAE,CAAC;SAChB;QACD;YACE,uCAAuC;YACvC,OAAO,EACL,qIAAqI;YACvI,YAAY,EAAE,CAAC;SAChB;QACD;YACE,+CAA+C;YAC/C,OAAO,EACL,+IAA+I;YACjJ,YAAY,EAAE,CAAC;SAChB;QACD;YACE,kDAAkD;YAClD,OAAO,EACL,+GAA+G;YACjH,YAAY,EAAE,CAAC;SAChB;QACD;YACE,0DAA0D;YAC1D,OAAO,EACL,wHAAwH;YAC1H,YAAY,EAAE,CAAC;SAChB;QACD;YACE,uBAAuB;YACvB,OAAO,EACL,oHAAoH;YACtH,YAAY,EAAE,CAAC;SAChB;QACD;YACE,qDAAqD;YACrD,OAAO,EACL,kHAAkH;YACpH,YAAY,EAAE,CAAC;SAChB;QACD;YACE,kDAAkD;YAClD,OAAO,EACL,yFAAyF;YAC3F,YAAY,EAAE,CAAC;SAChB;QACD;YACE,4BAA4B;YAC5B,OAAO,EACL,yHAAyH;YAC3H,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,qGAAqG;QACrG,wBAAwB;QACxB,kCAAkC;QAClC,uDAAuD;QACvD,qEAAqE;QACrE,QAAQ;QACR,oBAAoB;QACpB,sCAAsC;QACtC,0CAA0C;QAC1C,qBAAqB;QACrB,QAAQ;QACR,cAAc;QACd,qEAAqE;QACrE,iBAAiB;QACjB,8DAA8D;QAC9D,oCAAoC;QACpC,YAAY;QACZ,qFAAqF;QACrF,uBAAuB;IACzB,UAAU,EAAE;QACV,6CAA6C;QAC7C,gDAAgD;QAChD,0FAA0F;QAC1F,oDAAoD;KACrD;IACD,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC;CAC/C,CAAC"}

package/dist/rules/owasp-a03/template-injection.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const TemplateInjection: Rule;
+//# sourceMappingURL=template-injection.d.ts.map

package/dist/rules/owasp-a03/template-injection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"template-injection.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a03/template-injection.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,iBAAiB,EAAE,IAoE/B,CAAC"}

package/dist/rules/owasp-a03/template-injection.js

@@ -0,0 +1,64 @@
+// OWASP A03:2021 — Injection
+// Rule: Server-Side Template Injection (SSTI)
+export const TemplateInjection = {
+    id: 'OWASP-A03-005',
+    name: 'Server-Side Template Injection (SSTI)',
+    owasp: 'A03:2021',
+    cwe: 'CWE-94',
+    severity: 'CRITICAL',
+    languages: ['javascript', 'typescript', 'python', 'php', 'ruby', 'java'],
+    description: 'User input passed to a template engine as a template string (not as data) allows ' +
+        'attackers to execute arbitrary code on the server. A classic example: passing ' +
+        'req.body.template to pug.render() or env.from_string() with user content.',
+    patterns: [
+        {
+            // Pug/Jade: render/compile with user input as template
+            pattern: /(?:pug|jade)\s*\.\s*(?:render|compile|renderFile)\s*\([^)]*(?:req\.|request\.)(?:body|params|query)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Handlebars: compile/precompile with user template
+            pattern: /(?:Handlebars|hbs)\s*\.\s*(?:compile|precompile)\s*\([^)]*(?:req\.|request\.)(?:body|params|query)/gi,
+            snippetLines: 3,
+        },
+        {
+            // EJS: render with user input as template string
+            pattern: /ejs\s*\.\s*render\s*\([^)]*(?:req\.|request\.)(?:body|params|query)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python Jinja2: from_string with user input
+            pattern: /(?:env|environment|jinja2)\s*\.\s*from_string\s*\([^)]*(?:request\.|req\.)(?:args|form|json|data)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python Jinja2: Template() with user content
+            pattern: /jinja2\s*\.\s*Template\s*\([^)]*(?:request\.|req\.)(?:args|form|json|data)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Mako/Genshi template from user input
+            pattern: /Template\s*\(\s*text\s*=\s*(?:request\.|req\.)(?:args|form|json|data)/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Never use user input AS a template. Only pass user data INTO templates as context variables.\n\n' +
+        '// BAD:\n' +
+        'const html = pug.render(req.body.template, { user }); // SSTI!\n\n' +
+        '// GOOD — load template from filesystem, pass user data as context:\n' +
+        'const html = pug.renderFile("views/profile.pug", {\n' +
+        '  username: req.body.username, // data, not template code\n' +
+        '});\n\n' +
+        '// Python Jinja2 — BAD:\n' +
+        'template = jinja2.Template(request.args["tmpl"])  # SSTI!\n\n' +
+        '// GOOD:\n' +
+        'template = env.get_template("profile.html")  # from filesystem\n' +
+        'html = template.render(username=request.args.get("username", ""))',
+    references: [
+        'https://owasp.org/Top10/A03_2021-Injection/',
+        'https://cwe.mitre.org/data/definitions/94.html',
+        'https://portswigger.net/web-security/server-side-template-injection',
+    ],
+    tags: ['injection', 'ssti', 'template', 'rce'],
+};
+//# sourceMappingURL=template-injection.js.map

package/dist/rules/owasp-a03/template-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"template-injection.js","sourceRoot":"","sources":["../../../src/rules/owasp-a03/template-injection.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAC7B,8CAA8C;AAI9C,MAAM,CAAC,MAAM,iBAAiB,GAAS;IACrC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,uCAAuC;IAC7C,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,QAAQ;IACb,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;IACxE,WAAW,EACT,mFAAmF;QACnF,gFAAgF;QAChF,2EAA2E;IAC7E,QAAQ,EAAE;QACR;YACE,uDAAuD;YACvD,OAAO,EACL,uGAAuG;YACzG,YAAY,EAAE,CAAC;SAChB;QACD;YACE,oDAAoD;YACpD,OAAO,EACL,sGAAsG;YACxG,YAAY,EAAE,CAAC;SAChB;QACD;YACE,iDAAiD;YACjD,OAAO,EACL,uEAAuE;YACzE,YAAY,EAAE,CAAC;SAChB;QACD;YACE,6CAA6C;YAC7C,OAAO,EACL,qGAAqG;YACvG,YAAY,EAAE,CAAC;SAChB;QACD;YACE,8CAA8C;YAC9C,OAAO,EACL,8EAA8E;YAChF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,uCAAuC;YACvC,OAAO,EACL,yEAAyE;YAC3E,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,kGAAkG;QAClG,WAAW;QACX,oEAAoE;QACpE,uEAAuE;QACvE,sDAAsD;QACtD,6DAA6D;QAC7D,SAAS;QACT,2BAA2B;QAC3B,+DAA+D;QAC/D,YAAY;QACZ,kEAAkE;QAClE,mEAAmE;IACrE,UAAU,EAAE;QACV,6CAA6C;QAC7C,gDAAgD;QAChD,qEAAqE;KACtE;IACD,IAAI,EAAE,CAAC,WAAW,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,CAAC;CAC/C,CAAC"}

package/dist/rules/owasp-a03/xss.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const XssReflected: Rule;
+//# sourceMappingURL=xss.d.ts.map

package/dist/rules/owasp-a03/xss.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xss.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a03/xss.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,YAAY,EAAE,IA6E1B,CAAC"}

package/dist/rules/owasp-a03/xss.js

@@ -0,0 +1,74 @@
+// OWASP A03:2021 — Injection
+// Rule: Reflected / Stored XSS via unsanitized user input in HTML response
+export const XssReflected = {
+    id: 'OWASP-A03-004',
+    name: 'Cross-Site Scripting (XSS) via Unsanitized User Input',
+    owasp: 'A03:2021',
+    cwe: 'CWE-79',
+    severity: 'HIGH',
+    languages: ['javascript', 'typescript', 'python', 'php', 'ruby', 'java'],
+    description: 'User-controlled input rendered directly into HTML without escaping. Attackers inject ' +
+        'JavaScript that executes in victims\' browsers — stealing cookies, tokens, or performing ' +
+        'actions on the user\'s behalf. AI tools often use innerHTML, dangerouslySetInnerHTML, ' +
+        'or res.send() with unescaped user data.',
+    patterns: [
+        {
+            // JS: element.innerHTML with user input
+            pattern: /(?:\w+)\s*\.\s*innerHTML\s*=\s*(?!['"`][^'"`]*['"`])[^;]*(?:req\.|request\.|params\.|query\.|body\.|input\.|data\.)/gi,
+            snippetLines: 3,
+        },
+        {
+            // JS: document.write with user input
+            pattern: /document\s*\.\s*write\s*\([^)]*(?:req\.|request\.|location\.|search\.|hash\.|params\.)/gi,
+            snippetLines: 3,
+        },
+        {
+            // React: dangerouslySetInnerHTML with user content
+            pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(?!DOMPurify|sanitize)[^}]*(?:req\.|props\.|state\.|user\.|data\.)/gi,
+            suppressIf: /DOMPurify|sanitizeHtml|xss-filters|sanitize/i,
+            snippetLines: 3,
+        },
+        {
+            // Express: res.send() / res.write() with user input (reflected)
+            pattern: /res\s*\.\s*(?:send|write)\s*\([^)]*(?:req\.|request\.)(?:body|params|query|headers)/gi,
+            snippetLines: 3,
+        },
+        {
+            // PHP: echo/print with $_GET/$_POST without htmlspecialchars
+            pattern: /(?:echo|print)\s+(?!\s*htmlspecialchars|\s*htmlentities|\s*strip_tags)\s*\$_(?:GET|POST|REQUEST|COOKIE)\s*\[/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python/Flask: Markup() — bypasses Jinja2 auto-escaping
+            pattern: /Markup\s*\(\s*(?!.*escape\(|.*markupsafe)/gi,
+            requiresContext: /(?:request\.|form\.|args\.|json\.|data\.)/i,
+            snippetLines: 3,
+        },
+        {
+            // Template: |safe filter in Jinja2/Django with user data
+            pattern: /\{\{\s*[^}]*(?:request\.|form\.|args\.|data\.|user\.)[^|]*\|\s*safe\s*\}\}/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Always escape user input before rendering in HTML context.\n\n' +
+        '// Node.js — use a sanitization library:\n' +
+        'import DOMPurify from "dompurify";\n' +
+        'import { JSDOM } from "jsdom";\n' +
+        'const window = new JSDOM("").window;\n' +
+        'const purify = DOMPurify(window);\n' +
+        'element.innerHTML = purify.sanitize(userInput); // sanitized\n\n' +
+        '// Express — escape output:\n' +
+        'import escapeHtml from "escape-html";\n' +
+        'res.send(`<p>${escapeHtml(req.query.name)}</p>`);\n\n' +
+        '// PHP:\n' +
+        'echo htmlspecialchars($_GET["name"], ENT_QUOTES, "UTF-8");\n\n' +
+        '// Prefer template engines with auto-escaping (Jinja2, EJS, Handlebars)\n' +
+        '// and avoid |safe, {{{ }}}, or Markup() with user data.',
+    references: [
+        'https://owasp.org/Top10/A03_2021-Injection/',
+        'https://cwe.mitre.org/data/definitions/79.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html',
+    ],
+    tags: ['injection', 'xss', 'cross-site-scripting', 'html', 'output-encoding'],
+};
+//# sourceMappingURL=xss.js.map

package/dist/rules/owasp-a03/xss.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"xss.js","sourceRoot":"","sources":["../../../src/rules/owasp-a03/xss.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAC7B,2EAA2E;AAI3E,MAAM,CAAC,MAAM,YAAY,GAAS;IAChC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,uDAAuD;IAC7D,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,QAAQ;IACb,QAAQ,EAAE,MAAM;IAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;IACxE,WAAW,EACT,uFAAuF;QACvF,2FAA2F;QAC3F,wFAAwF;QACxF,yCAAyC;IAC3C,QAAQ,EAAE;QACR;YACE,wCAAwC;YACxC,OAAO,EACL,uHAAuH;YACzH,YAAY,EAAE,CAAC;SAChB;QACD;YACE,qCAAqC;YACrC,OAAO,EACL,0FAA0F;YAC5F,YAAY,EAAE,CAAC;SAChB;QACD;YACE,mDAAmD;YACnD,OAAO,EACL,2HAA2H;YAC7H,UAAU,EAAE,8CAA8C;YAC1D,YAAY,EAAE,CAAC;SAChB;QACD;YACE,gEAAgE;YAChE,OAAO,EACL,uFAAuF;YACzF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,6DAA6D;YAC7D,OAAO,EACL,gHAAgH;YAClH,YAAY,EAAE,CAAC;SAChB;QACD;YACE,yDAAyD;YACzD,OAAO,EAAE,6CAA6C;YACtD,eAAe,EAAE,4CAA4C;YAC7D,YAAY,EAAE,CAAC;SAChB;QACD;YACE,yDAAyD;YACzD,OAAO,EAAE,8EAA8E;YACvF,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,gEAAgE;QAChE,4CAA4C;QAC5C,sCAAsC;QACtC,kCAAkC;QAClC,wCAAwC;QACxC,qCAAqC;QACrC,kEAAkE;QAClE,+BAA+B;QAC/B,yCAAyC;QACzC,uDAAuD;QACvD,WAAW;QACX,gEAAgE;QAChE,2EAA2E;QAC3E,0DAA0D;IAC5D,UAAU,EAAE;QACV,6CAA6C;QAC7C,gDAAgD;QAChD,iGAAiG;KAClG;IACD,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,EAAE,sBAAsB,EAAE,MAAM,EAAE,iBAAiB,CAAC;CAC9E,CAAC"}

package/dist/rules/owasp-a04/mass-assignment.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const MassAssignment: Rule;
+//# sourceMappingURL=mass-assignment.d.ts.map

package/dist/rules/owasp-a04/mass-assignment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mass-assignment.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a04/mass-assignment.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,cAAc,EAAE,IAiE5B,CAAC"}

package/dist/rules/owasp-a04/mass-assignment.js

@@ -0,0 +1,63 @@
+// OWASP A04:2021 — Insecure Design
+// Rule: Mass Assignment vulnerability (binding all request fields to model)
+export const MassAssignment = {
+    id: 'OWASP-A04-002',
+    name: 'Mass Assignment Vulnerability',
+    owasp: 'A04:2021',
+    cwe: 'CWE-915',
+    severity: 'HIGH',
+    languages: ['javascript', 'typescript', 'python', 'ruby', 'php'],
+    description: 'Binding all request body fields directly to a model object (e.g., User.create(req.body)) ' +
+        'allows attackers to set fields they should not control — such as isAdmin, role, balance, ' +
+        'or verified. AI tools commonly generate Model.create(req.body) for convenience.',
+    patterns: [
+        {
+            // Mongoose/Sequelize: Model.create(req.body) or new Model(req.body)
+            pattern: /(?:\w+)\s*\.\s*(?:create|build|insert|insertMany)\s*\(\s*req\s*\.\s*body\s*\)/gi,
+            snippetLines: 3,
+        },
+        {
+            // new Model(req.body) — passing entire body to constructor
+            pattern: /new\s+\w+\s*\(\s*req\s*\.\s*body\s*\)/g,
+            suppressIf: /(?:error|Error|exception|Exception|event|Event|stream|Stream)/i,
+            snippetLines: 3,
+        },
+        {
+            // Object spread: { ...req.body } into DB operations
+            pattern: /(?:create|update|save|insert|upsert)\s*\(\s*\{\s*\.\.\.\s*req\s*\.\s*body/gi,
+            snippetLines: 3,
+        },
+        {
+            // Object.assign(model, req.body)
+            pattern: /Object\s*\.\s*assign\s*\([^,]+,\s*req\s*\.\s*body\s*\)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python Django: Model(**request.data) or form.save() without field restriction
+            pattern: /\w+\s*\(\s*\*\*\s*request\.(?:data|POST|json)\s*\)/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Explicitly whitelist the fields you accept from user input. Never pass req.body directly to a model.\n\n' +
+        '// BAD:\n' +
+        'const user = await User.create(req.body); // attacker sets isAdmin: true\n\n' +
+        '// GOOD — explicit field extraction:\n' +
+        'const { name, email, password } = req.body;\n' +
+        'const user = await User.create({\n' +
+        '  name,\n' +
+        '  email,\n' +
+        '  password: await bcrypt.hash(password, 12),\n' +
+        '  // isAdmin NOT included — cannot be set by user\n' +
+        '});\n\n' +
+        '// Alternatively, use a validation library like Zod:\n' +
+        'import { z } from "zod";\n' +
+        'const CreateUserSchema = z.object({ name: z.string(), email: z.string().email() });\n' +
+        'const data = CreateUserSchema.parse(req.body); // strips unknown fields',
+    references: [
+        'https://owasp.org/Top10/A04_2021-Insecure_Design/',
+        'https://cwe.mitre.org/data/definitions/915.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html',
+    ],
+    tags: ['mass-assignment', 'input-validation', 'design', 'authorization'],
+};
+//# sourceMappingURL=mass-assignment.js.map

package/dist/rules/owasp-a04/mass-assignment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mass-assignment.js","sourceRoot":"","sources":["../../../src/rules/owasp-a04/mass-assignment.ts"],"names":[],"mappings":"AAAA,mCAAmC;AACnC,4EAA4E;AAI5E,MAAM,CAAC,MAAM,cAAc,GAAS;IAClC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,+BAA+B;IACrC,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,SAAS;IACd,QAAQ,EAAE,MAAM;IAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC;IAChE,WAAW,EACT,2FAA2F;QAC3F,2FAA2F;QAC3F,iFAAiF;IACnF,QAAQ,EAAE;QACR;YACE,oEAAoE;YACpE,OAAO,EACL,iFAAiF;YACnF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,2DAA2D;YAC3D,OAAO,EACL,wCAAwC;YAC1C,UAAU,EAAE,gEAAgE;YAC5E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,oDAAoD;YACpD,OAAO,EACL,6EAA6E;YAC/E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,iCAAiC;YACjC,OAAO,EAAE,0DAA0D;YACnE,YAAY,EAAE,CAAC;SAChB;QACD;YACE,gFAAgF;YAChF,OAAO,EACL,sDAAsD;YACxD,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,0GAA0G;QAC1G,WAAW;QACX,8EAA8E;QAC9E,wCAAwC;QACxC,+CAA+C;QAC/C,oCAAoC;QACpC,WAAW;QACX,YAAY;QACZ,gDAAgD;QAChD,qDAAqD;QACrD,SAAS;QACT,wDAAwD;QACxD,4BAA4B;QAC5B,uFAAuF;QACvF,yEAAyE;IAC3E,UAAU,EAAE;QACV,mDAAmD;QACnD,iDAAiD;QACjD,iFAAiF;KAClF;IACD,IAAI,EAAE,CAAC,iBAAiB,EAAE,kBAAkB,EAAE,QAAQ,EAAE,eAAe,CAAC;CACzE,CAAC"}

package/dist/rules/owasp-a04/missing-rate-limit.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const MissingRateLimit: Rule;
+//# sourceMappingURL=missing-rate-limit.d.ts.map

package/dist/rules/owasp-a04/missing-rate-limit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-rate-limit.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a04/missing-rate-limit.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,gBAAgB,EAAE,IAkD9B,CAAC"}

package/dist/rules/owasp-a04/missing-rate-limit.js

@@ -0,0 +1,48 @@
+// OWASP A04:2021 — Insecure Design
+// Rule: Missing rate limiting on sensitive endpoints
+export const MissingRateLimit = {
+    id: 'OWASP-A04-001',
+    name: 'Missing Rate Limiting on Sensitive Endpoint',
+    owasp: 'A04:2021',
+    cwe: 'CWE-770',
+    severity: 'MEDIUM',
+    languages: ['javascript', 'typescript'],
+    description: 'Authentication, password reset, OTP verification, and account registration endpoints ' +
+        'without rate limiting are vulnerable to brute-force attacks, credential stuffing, and ' +
+        'account enumeration. AI tools rarely add rate limiting when generating auth routes.',
+    patterns: [
+        {
+            // Express login route without rate limiter
+            pattern: /(?:app|router)\s*\.\s*post\s*\(\s*['"`][^'"`]*(?:login|signin|sign-in|auth|authenticate|token|otp|verify|reset-password|forgot-password)[^'"`]*['"`]/gi,
+            suppressIf: /(?:rateLimit|rateLimiter|rate_limit|throttle|limiter|slowDown|express-rate-limit|@nestjs\/throttler|throttler)/i,
+            snippetLines: 3,
+        },
+        {
+            // Registration endpoint without rate limiting
+            pattern: /(?:app|router)\s*\.\s*post\s*\(\s*['"`][^'"`]*(?:register|signup|sign-up|create-account|new-user)[^'"`]*['"`]/gi,
+            suppressIf: /(?:rateLimit|rateLimiter|rate_limit|throttle|limiter|slowDown|express-rate-limit)/i,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Add rate limiting to all authentication and sensitive endpoints.\n\n' +
+        '// Express with express-rate-limit:\n' +
+        'import rateLimit from "express-rate-limit";\n\n' +
+        'const loginLimiter = rateLimit({\n' +
+        '  windowMs: 15 * 60 * 1000, // 15 minutes\n' +
+        '  max: 5, // max 5 login attempts per IP per window\n' +
+        '  message: { error: "Too many login attempts. Try again in 15 minutes." },\n' +
+        '  standardHeaders: true,\n' +
+        '  legacyHeaders: false,\n' +
+        '});\n\n' +
+        'app.post("/api/login", loginLimiter, async (req, res) => { ... });\n\n' +
+        '// For distributed systems use Redis store:\n' +
+        'import RedisStore from "rate-limit-redis";\n' +
+        'const limiter = rateLimit({ store: new RedisStore({ client: redisClient }) });',
+    references: [
+        'https://owasp.org/Top10/A04_2021-Insecure_Design/',
+        'https://cwe.mitre.org/data/definitions/770.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html',
+    ],
+    tags: ['rate-limiting', 'brute-force', 'auth', 'design'],
+};
+//# sourceMappingURL=missing-rate-limit.js.map

package/dist/rules/owasp-a04/missing-rate-limit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"missing-rate-limit.js","sourceRoot":"","sources":["../../../src/rules/owasp-a04/missing-rate-limit.ts"],"names":[],"mappings":"AAAA,mCAAmC;AACnC,qDAAqD;AAIrD,MAAM,CAAC,MAAM,gBAAgB,GAAS;IACpC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,6CAA6C;IACnD,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,SAAS;IACd,QAAQ,EAAE,QAAQ;IAClB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;IACvC,WAAW,EACT,uFAAuF;QACvF,wFAAwF;QACxF,qFAAqF;IACvF,QAAQ,EAAE;QACR;YACE,2CAA2C;YAC3C,OAAO,EACL,wJAAwJ;YAC1J,UAAU,EACR,iHAAiH;YACnH,YAAY,EAAE,CAAC;SAChB;QACD;YACE,8CAA8C;YAC9C,OAAO,EACL,iHAAiH;YACnH,UAAU,EACR,oFAAoF;YACtF,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,sEAAsE;QACtE,uCAAuC;QACvC,iDAAiD;QACjD,oCAAoC;QACpC,6CAA6C;QAC7C,uDAAuD;QACvD,8EAA8E;QAC9E,4BAA4B;QAC5B,2BAA2B;QAC3B,SAAS;QACT,wEAAwE;QACxE,+CAA+C;QAC/C,8CAA8C;QAC9C,gFAAgF;IAClF,UAAU,EAAE;QACV,mDAAmD;QACnD,iDAAiD;QACjD,gFAAgF;KACjF;IACD,IAAI,EAAE,CAAC,eAAe,EAAE,aAAa,EAAE,MAAM,EAAE,QAAQ,CAAC;CACzD,CAAC"}

package/dist/rules/owasp-a05/cors-wildcard.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const CorsWildcard: Rule;
+//# sourceMappingURL=cors-wildcard.d.ts.map

package/dist/rules/owasp-a05/cors-wildcard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors-wildcard.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a05/cors-wildcard.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,YAAY,EAAE,IAiF1B,CAAC"}

package/dist/rules/owasp-a05/cors-wildcard.js

@@ -0,0 +1,79 @@
+// OWASP A05:2021 — Security Misconfiguration
+// Rule: CORS wildcard origin — allows any domain to make credentialed requests
+export const CorsWildcard = {
+    id: 'OWASP-A05-002',
+    name: 'CORS Wildcard Origin (Access-Control-Allow-Origin: *)',
+    owasp: 'A05:2021',
+    cwe: 'CWE-942',
+    severity: 'HIGH',
+    languages: ['javascript', 'typescript', 'python', 'php', 'java', 'go', 'ruby'],
+    description: 'CORS configured with wildcard origin (*) or reflecting any origin without validation. ' +
+        'Combined with Access-Control-Allow-Credentials: true, this allows any website to make ' +
+        'credentialed cross-origin requests to your API, effectively defeating same-origin protection. ' +
+        'AI tools commonly generate cors() with no options, which defaults to wildcard.',
+    patterns: [
+        {
+            // Express cors() with no arguments (defaults to *) — direct or via require()
+            pattern: /app\s*\.\s*use\s*\(\s*(?:require\s*\(\s*['"`]cors['"`]\s*\)\s*\(\s*\)|cors\s*\(\s*\))\s*\)/gi,
+            snippetLines: 3,
+        },
+        {
+            // cors({ origin: '*' }) or cors({ origin: true }) — too permissive
+            pattern: /cors\s*\(\s*\{\s*[^}]*origin\s*:\s*(?:['"`]\*['"`]|true)\s*[^}]*\}\s*\)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Direct header: res.setHeader('Access-Control-Allow-Origin', '*')
+            pattern: /(?:res|response)\s*\.\s*(?:setHeader|header)\s*\(\s*['"`]Access-Control-Allow-Origin['"`]\s*,\s*['"`]\*['"`]\s*\)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Wildcard + credentials (especially dangerous combination)
+            pattern: /Access-Control-Allow-Origin['"]\s*,\s*['"]\*/gi,
+            snippetLines: 5,
+        },
+        {
+            // Python Flask-CORS: CORS(app) with no origins restriction
+            pattern: /CORS\s*\(\s*app\s*\)/gi,
+            suppressIf: /origins\s*=/i,
+            snippetLines: 3,
+        },
+        {
+            // Django CORS: CORS_ALLOW_ALL_ORIGINS = True
+            pattern: /CORS_ALLOW_ALL_ORIGINS\s*=\s*True/gi,
+            snippetLines: 1,
+        },
+        {
+            // Reflecting request origin directly
+            pattern: /(?:req|request)\s*\.\s*(?:headers|header)\s*(?:\[['"`]origin['"`]\]|\.origin)\s*\|\|?\s*['"`]\*/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Restrict CORS to a specific allowlist of trusted origins.\n\n' +
+        '// Express — explicit origin whitelist:\n' +
+        'import cors from "cors";\n' +
+        'const ALLOWED_ORIGINS = [\n' +
+        '  "https://myapp.com",\n' +
+        '  "https://www.myapp.com",\n' +
+        '  process.env.FRONTEND_URL,\n' +
+        '].filter(Boolean);\n\n' +
+        'app.use(cors({\n' +
+        '  origin: (origin, callback) => {\n' +
+        '    if (!origin || ALLOWED_ORIGINS.includes(origin)) {\n' +
+        '      callback(null, true);\n' +
+        '    } else {\n' +
+        '      callback(new Error("Not allowed by CORS"));\n' +
+        '    }\n' +
+        '  },\n' +
+        '  credentials: true,\n' +
+        '}));\n\n' +
+        '// Django:\n' +
+        'CORS_ALLOWED_ORIGINS = ["https://myapp.com"]  # explicit list',
+    references: [
+        'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/',
+        'https://cwe.mitre.org/data/definitions/942.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/CORS_Cheat_Sheet.html',
+    ],
+    tags: ['cors', 'misconfiguration', 'cross-origin', 'headers'],
+};
+//# sourceMappingURL=cors-wildcard.js.map

package/dist/rules/owasp-a05/cors-wildcard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors-wildcard.js","sourceRoot":"","sources":["../../../src/rules/owasp-a05/cors-wildcard.ts"],"names":[],"mappings":"AAAA,6CAA6C;AAC7C,+EAA+E;AAI/E,MAAM,CAAC,MAAM,YAAY,GAAS;IAChC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,uDAAuD;IAC7D,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,SAAS;IACd,QAAQ,EAAE,MAAM;IAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC;IAC9E,WAAW,EACT,wFAAwF;QACxF,wFAAwF;QACxF,gGAAgG;QAChG,gFAAgF;IAClF,QAAQ,EAAE;QACR;YACE,6EAA6E;YAC7E,OAAO,EAAE,8FAA8F;YACvG,YAAY,EAAE,CAAC;SAChB;QACD;YACE,mEAAmE;YACnE,OAAO,EACL,2EAA2E;YAC7E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,mEAAmE;YACnE,OAAO,EACL,qHAAqH;YACvH,YAAY,EAAE,CAAC;SAChB;QACD;YACE,4DAA4D;YAC5D,OAAO,EACL,gDAAgD;YAClD,YAAY,EAAE,CAAC;SAChB;QACD;YACE,2DAA2D;YAC3D,OAAO,EAAE,wBAAwB;YACjC,UAAU,EAAE,cAAc;YAC1B,YAAY,EAAE,CAAC;SAChB;QACD;YACE,6CAA6C;YAC7C,OAAO,EAAE,qCAAqC;YAC9C,YAAY,EAAE,CAAC;SAChB;QACD;YACE,qCAAqC;YACrC,OAAO,EACL,mGAAmG;YACrG,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,+DAA+D;QAC/D,2CAA2C;QAC3C,4BAA4B;QAC5B,6BAA6B;QAC7B,0BAA0B;QAC1B,8BAA8B;QAC9B,+BAA+B;QAC/B,wBAAwB;QACxB,kBAAkB;QAClB,qCAAqC;QACrC,0DAA0D;QAC1D,+BAA+B;QAC/B,gBAAgB;QAChB,qDAAqD;QACrD,SAAS;QACT,QAAQ;QACR,wBAAwB;QACxB,UAAU;QACV,cAAc;QACd,+DAA+D;IACjE,UAAU,EAAE;QACV,6DAA6D;QAC7D,iDAAiD;QACjD,sEAAsE;KACvE;IACD,IAAI,EAAE,CAAC,MAAM,EAAE,kBAAkB,EAAE,cAAc,EAAE,SAAS,CAAC;CAC9D,CAAC"}

package/dist/rules/owasp-a05/debug-mode.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const DebugMode: Rule;
+//# sourceMappingURL=debug-mode.d.ts.map

package/dist/rules/owasp-a05/debug-mode.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"debug-mode.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a05/debug-mode.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,SAAS,EAAE,IAuEvB,CAAC"}

package/dist/rules/owasp-a05/debug-mode.js

@@ -0,0 +1,73 @@
+// OWASP A05:2021 — Security Misconfiguration
+// Rule: Debug mode enabled in production configuration
+export const DebugMode = {
+    id: 'OWASP-A05-001',
+    name: 'Debug Mode Enabled in Production',
+    owasp: 'A05:2021',
+    cwe: 'CWE-94',
+    severity: 'HIGH',
+    languages: ['javascript', 'typescript', 'python', 'php', 'java', 'ruby'],
+    description: 'Debug mode or development environment settings left active in production code. ' +
+        'This exposes stack traces, internal paths, environment variables, and source code ' +
+        'to users — providing attackers with valuable reconnaissance information. ' +
+        'AI tools commonly generate DEBUG=True from tutorial templates.',
+    patterns: [
+        {
+            // Python/Django: DEBUG = True in settings file
+            pattern: /\bDEBUG\s*=\s*True\b/g,
+            suppressIf: /(?:test|spec|debug_setting|if.*DEBUG|DEBUG_OVERRIDE|dev|development)/i,
+            snippetLines: 1,
+        },
+        {
+            // Flask: app.run(debug=True) or app.debug = True
+            pattern: /(?:app\.run\s*\([^)]*debug\s*=\s*True|app\.debug\s*=\s*True)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Node.js: NODE_ENV = development (hardcoded)
+            pattern: /NODE_ENV\s*=\s*['"`]development['"`]/g,
+            suppressIf: /(?:test|spec|dev-only|if.*NODE_ENV)/i,
+            snippetLines: 1,
+        },
+        {
+            // Express: app.set('env', 'development')
+            pattern: /app\s*\.\s*set\s*\(\s*['"`]env['"`]\s*,\s*['"`]development['"`]\s*\)/gi,
+            snippetLines: 3,
+        },
+        {
+            // PHP: ini_set('display_errors', '1') or error_reporting(E_ALL)
+            pattern: /ini_set\s*\(\s*['"`]display_errors['"`]\s*,\s*['"`]?1['"`]?\s*\)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Spring Boot: spring.jpa.show-sql=true or logging.level=DEBUG
+            pattern: /(?:spring\.jpa\.show-sql\s*=\s*true|logging\.level\s*=\s*DEBUG)/gi,
+            snippetLines: 1,
+        },
+        {
+            // Generic: verbose error output to client
+            pattern: /res\s*\.\s*(?:send|json)\s*\([^)]*(?:error\.stack|err\.stack|e\.stack)\s*\)/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Use environment variables to control debug settings. Never hardcode debug=true.\n\n' +
+        '// Python/Django:\n' +
+        'DEBUG = os.environ.get("DEBUG", "False") == "True"  # False in production\n\n' +
+        '// Flask:\n' +
+        'app.run(debug=os.environ.get("FLASK_DEBUG", "0") == "1")\n\n' +
+        '// Node.js — never expose stack traces:\n' +
+        'app.use((err, req, res, next) => {\n' +
+        '  const isDev = process.env.NODE_ENV === "development";\n' +
+        '  res.status(500).json({\n' +
+        '    error: "Internal Server Error",\n' +
+        '    ...(isDev && { stack: err.stack }), // only in dev\n' +
+        '  });\n' +
+        '});',
+    references: [
+        'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/',
+        'https://cwe.mitre.org/data/definitions/94.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html',
+    ],
+    tags: ['misconfiguration', 'debug', 'information-disclosure', 'production'],
+};
+//# sourceMappingURL=debug-mode.js.map

package/dist/rules/owasp-a05/debug-mode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"debug-mode.js","sourceRoot":"","sources":["../../../src/rules/owasp-a05/debug-mode.ts"],"names":[],"mappings":"AAAA,6CAA6C;AAC7C,uDAAuD;AAIvD,MAAM,CAAC,MAAM,SAAS,GAAS;IAC7B,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,kCAAkC;IACxC,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,QAAQ;IACb,QAAQ,EAAE,MAAM;IAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;IACxE,WAAW,EACT,iFAAiF;QACjF,oFAAoF;QACpF,2EAA2E;QAC3E,gEAAgE;IAClE,QAAQ,EAAE;QACR;YACE,+CAA+C;YAC/C,OAAO,EAAE,uBAAuB;YAChC,UAAU,EAAE,uEAAuE;YACnF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,iDAAiD;YACjD,OAAO,EAAE,gEAAgE;YACzE,YAAY,EAAE,CAAC;SAChB;QACD;YACE,8CAA8C;YAC9C,OAAO,EAAE,uCAAuC;YAChD,UAAU,EAAE,sCAAsC;YAClD,YAAY,EAAE,CAAC;SAChB;QACD;YACE,yCAAyC;YACzC,OAAO,EAAE,wEAAwE;YACjF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,gEAAgE;YAChE,OAAO,EAAE,oEAAoE;YAC7E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,+DAA+D;YAC/D,OAAO,EAAE,mEAAmE;YAC5E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,0CAA0C;YAC1C,OAAO,EAAE,+EAA+E;YACxF,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,qFAAqF;QACrF,qBAAqB;QACrB,+EAA+E;QAC/E,aAAa;QACb,8DAA8D;QAC9D,2CAA2C;QAC3C,sCAAsC;QACtC,2DAA2D;QAC3D,4BAA4B;QAC5B,uCAAuC;QACvC,0DAA0D;QAC1D,SAAS;QACT,KAAK;IACP,UAAU,EAAE;QACV,6DAA6D;QAC7D,gDAAgD;QAChD,gFAAgF;KACjF;IACD,IAAI,EAAE,CAAC,kBAAkB,EAAE,OAAO,EAAE,wBAAwB,EAAE,YAAY,CAAC;CAC5E,CAAC"}

package/dist/rules/owasp-a05/default-credentials.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const DefaultCredentials: Rule;
+//# sourceMappingURL=default-credentials.d.ts.map

package/dist/rules/owasp-a05/default-credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"default-credentials.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a05/default-credentials.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,kBAAkB,EAAE,IAsDhC,CAAC"}