@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/security/owasp-scanner.js

@@ -1,939 +0,0 @@
-/**
- * OWASP Security Scanner
- * 
- * ═══════════════════════════════════════════════════════════════════════════════
- * COMPETITIVE MOAT FEATURE - OWASP Top 10 Vulnerability Detection
- * ═══════════════════════════════════════════════════════════════════════════════
- * 
- * This engine scans code for the OWASP Top 10 web application security risks.
- * It provides both static analysis and runtime detection.
- * 
- * OWASP Top 10 (2021):
- * A01:2021 - Broken Access Control
- * A02:2021 - Cryptographic Failures
- * A03:2021 - Injection
- * A04:2021 - Insecure Design
- * A05:2021 - Security Misconfiguration
- * A06:2021 - Vulnerable Components
- * A07:2021 - Authentication Failures
- * A08:2021 - Data Integrity Failures
- * A09:2021 - Security Logging Failures
- * A10:2021 - Server-Side Request Forgery
- */
-
-"use strict";
-
-const fs = require("fs");
-const path = require("path");
-const crypto = require("crypto");
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// OWASP TOP 10 RULES
-// ═══════════════════════════════════════════════════════════════════════════════
-
-const OWASP_RULES = {
-  // ─────────────────────────────────────────────────────────────────────────────
-  // A01:2021 - BROKEN ACCESS CONTROL
-  // ─────────────────────────────────────────────────────────────────────────────
-  "A01": {
-    id: "A01",
-    name: "Broken Access Control",
-    description: "Restrictions on authenticated users are not properly enforced",
-    cwe: ["CWE-22", "CWE-284", "CWE-285", "CWE-352", "CWE-639"],
-    rules: [
-      {
-        id: "A01-path-traversal",
-        name: "Path Traversal",
-        severity: "critical",
-        patterns: [
-          /path\.join\([^)]*req\.(params|query|body)\./,
-          /fs\.(readFile|writeFile|unlink).*req\.(params|query|body)/,
-          /\.\.\/|\.\.\\|%2e%2e%2f/i
-        ],
-        message: "Potential path traversal vulnerability - user input used in file path",
-        fix: "Validate and sanitize file paths, use path.normalize() and check against base directory"
-      },
-      {
-        id: "A01-idor",
-        name: "Insecure Direct Object Reference",
-        severity: "high",
-        patterns: [
-          /findById\s*\(\s*req\.(params|query)\.id\s*\)/,
-          /where\s*:\s*\{\s*id\s*:\s*req\.params\.id\s*\}/,
-          /\/users\/\$\{.*id.*\}/
-        ],
-        message: "Potential IDOR - object accessed directly by user-supplied ID without authorization",
-        fix: "Verify user has permission to access the requested resource"
-      },
-      {
-        id: "A01-missing-auth-check",
-        name: "Missing Authorization Check",
-        severity: "high",
-        patterns: [
-          /router\.(get|post|put|delete)\s*\(\s*['"][^'"]*admin[^'"]*['"]\s*,\s*(?!.*auth)/,
-          /app\.(get|post|put|delete)\s*\(\s*['"][^'"]*\/api\/[^'"]*['"]\s*,\s*async\s*\(req/
-        ],
-        negativePatterns: [/auth|protect|verify|middleware|guard|check/i],
-        message: "Route may be missing authorization middleware",
-        fix: "Add authentication/authorization middleware to protected routes"
-      },
-      {
-        id: "A01-csrf",
-        name: "Missing CSRF Protection",
-        severity: "high",
-        patterns: [
-          /app\.post\s*\([^)]*(?!csrf|csrfProtection)/,
-          /<form[^>]*method=['"]post['"][^>]*(?!.*csrf)/i
-        ],
-        filePatterns: [/\.tsx?$/, /\.jsx?$/],
-        message: "POST endpoint may lack CSRF protection",
-        fix: "Implement CSRF tokens for state-changing operations"
-      }
-    ]
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // A02:2021 - CRYPTOGRAPHIC FAILURES
-  // ─────────────────────────────────────────────────────────────────────────────
-  "A02": {
-    id: "A02",
-    name: "Cryptographic Failures",
-    description: "Failures related to cryptography which often leads to sensitive data exposure",
-    cwe: ["CWE-261", "CWE-296", "CWE-310", "CWE-327", "CWE-328"],
-    rules: [
-      {
-        id: "A02-weak-hash",
-        name: "Weak Hashing Algorithm",
-        severity: "critical",
-        patterns: [
-          /createHash\(['"](?:md5|sha1)['"]\)/,
-          /crypto\.(?:MD5|SHA1)\(/,
-          /\.digest\(['"](?:md5|sha1)['"]\)/i
-        ],
-        message: "Weak hashing algorithm (MD5/SHA1) - use SHA-256 or stronger",
-        fix: "Replace with crypto.createHash('sha256') or bcrypt for passwords"
-      },
-      {
-        id: "A02-hardcoded-key",
-        name: "Hardcoded Cryptographic Key",
-        severity: "critical",
-        patterns: [
-          /(?:secret|key|password|token)\s*[:=]\s*['"][A-Za-z0-9+/=]{16,}['"]/i,
-          /createCipheriv\([^,]+,\s*['"][^'"]+['"]/,
-          /jwt\.sign\([^,]+,\s*['"][^'"]{8,}['"]/
-        ],
-        message: "Hardcoded cryptographic key or secret",
-        fix: "Move secrets to environment variables or secure key management"
-      },
-      {
-        id: "A02-insecure-random",
-        name: "Insecure Random Number Generator",
-        severity: "high",
-        patterns: [
-          /Math\.random\(\)/,
-          /Math\.floor\(Math\.random\(\)/
-        ],
-        context: /password|token|key|secret|session|auth|crypto/i,
-        message: "Math.random() is not cryptographically secure",
-        fix: "Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive operations"
-      },
-      {
-        id: "A02-cleartext-storage",
-        name: "Cleartext Password Storage",
-        severity: "critical",
-        patterns: [
-          /password\s*[:=]\s*(?:req\.body\.password|user\.password)/,
-          /\.create\(\s*\{[^}]*password\s*:\s*(?!.*(?:hash|bcrypt|argon))/
-        ],
-        message: "Password may be stored in cleartext",
-        fix: "Hash passwords with bcrypt or argon2 before storage"
-      },
-      {
-        id: "A02-http-sensitive",
-        name: "Sensitive Data Over HTTP",
-        severity: "high",
-        patterns: [
-          /http:\/\/(?!localhost|127\.0\.0\.1)[^/]*\/(?:api|auth|login|payment)/i,
-          /fetch\s*\(\s*['"]http:\/\/(?!localhost)/
-        ],
-        message: "Sensitive endpoint using HTTP instead of HTTPS",
-        fix: "Use HTTPS for all sensitive data transmission"
-      }
-    ]
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // A03:2021 - INJECTION
-  // ─────────────────────────────────────────────────────────────────────────────
-  "A03": {
-    id: "A03",
-    name: "Injection",
-    description: "User-supplied data is not validated, filtered, or sanitized",
-    cwe: ["CWE-20", "CWE-74", "CWE-79", "CWE-89", "CWE-94"],
-    rules: [
-      {
-        id: "A03-sql-injection",
-        name: "SQL Injection",
-        severity: "critical",
-        patterns: [
-          /query\s*\(\s*[`'"].*\$\{.*\}.*[`'"]/,
-          /execute\s*\(\s*[`'"].*\+.*req\.(body|query|params)/,
-          /raw\s*\(\s*[`'"].*\$\{.*req\./
-        ],
-        message: "Potential SQL injection - user input in SQL query",
-        fix: "Use parameterized queries or prepared statements"
-      },
-      {
-        id: "A03-nosql-injection",
-        name: "NoSQL Injection",
-        severity: "critical",
-        patterns: [
-          /\.\$where\s*:/,
-          /find\s*\(\s*\{\s*\$where/,
-          /\{\s*['"]?\$(?:where|regex|or|and|ne|gt|lt)['"]?\s*:/
-        ],
-        message: "Potential NoSQL injection",
-        fix: "Validate and sanitize input, avoid $where operator"
-      },
-      {
-        id: "A03-xss",
-        name: "Cross-Site Scripting (XSS)",
-        severity: "high",
-        patterns: [
-          /innerHTML\s*=\s*(?!['"])/,
-          /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/,
-          /document\.write\s*\(/,
-          /v-html\s*=/
-        ],
-        message: "Potential XSS vulnerability - unsafe HTML rendering",
-        fix: "Sanitize HTML content or use safe rendering methods"
-      },
-      {
-        id: "A03-command-injection",
-        name: "Command Injection",
-        severity: "critical",
-        patterns: [
-          /exec\s*\(\s*[`'"].*\$\{.*req\./,
-          /spawn\s*\(\s*[^,]+,\s*\[.*req\.(body|query|params)/,
-          /child_process.*\+.*req\./
-        ],
-        message: "Potential command injection - user input in shell command",
-        fix: "Validate input, use allowlists, avoid shell execution"
-      },
-      {
-        id: "A03-ldap-injection",
-        name: "LDAP Injection",
-        severity: "critical",
-        patterns: [
-          /ldap.*search.*\(.*req\.(body|query|params)/i,
-          /\((?:uid|cn|sn)=.*\$\{/
-        ],
-        message: "Potential LDAP injection",
-        fix: "Escape special LDAP characters in user input"
-      },
-      {
-        id: "A03-template-injection",
-        name: "Template Injection",
-        severity: "critical",
-        patterns: [
-          /render\s*\(\s*req\.(body|query|params)/,
-          /compile\s*\(\s*req\./,
-          /\$\{\s*eval\s*\(/
-        ],
-        message: "Potential server-side template injection",
-        fix: "Never pass user input directly to template engines"
-      }
-    ]
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // A04:2021 - INSECURE DESIGN
-  // ─────────────────────────────────────────────────────────────────────────────
-  "A04": {
-    id: "A04",
-    name: "Insecure Design",
-    description: "Missing or ineffective security controls in design",
-    cwe: ["CWE-209", "CWE-256", "CWE-501", "CWE-522"],
-    rules: [
-      {
-        id: "A04-no-rate-limit",
-        name: "Missing Rate Limiting",
-        severity: "medium",
-        patterns: [
-          /router\.post\s*\(\s*['"][^'"]*(?:login|auth|register|password)[^'"]*['"]/
-        ],
-        negativePatterns: [/rateLimit|rateLimiter|throttle|slowDown/],
-        message: "Authentication endpoint may lack rate limiting",
-        fix: "Add rate limiting to prevent brute force attacks"
-      },
-      {
-        id: "A04-mass-assignment",
-        name: "Mass Assignment",
-        severity: "high",
-        patterns: [
-          /\.create\s*\(\s*req\.body\s*\)/,
-          /\.update\s*\(\s*req\.body\s*\)/,
-          /Object\.assign\s*\([^,]+,\s*req\.body\s*\)/,
-          /\{\s*\.\.\.req\.body\s*\}/
-        ],
-        message: "Potential mass assignment vulnerability",
-        fix: "Explicitly pick allowed fields from request body"
-      },
-      {
-        id: "A04-verbose-errors",
-        name: "Verbose Error Messages",
-        severity: "medium",
-        patterns: [
-          /res\.(?:status|json|send)\s*\([^)]*error\.stack/,
-          /res\.(?:status|json|send)\s*\([^)]*error\.message/,
-          /catch\s*\([^)]*\)\s*\{\s*res\.send\s*\(\s*\w+\s*\)/
-        ],
-        message: "Detailed error messages may leak sensitive information",
-        fix: "Return generic error messages in production"
-      },
-      {
-        id: "A04-unrestricted-upload",
-        name: "Unrestricted File Upload",
-        severity: "high",
-        patterns: [
-          /multer\s*\(\s*\{(?!.*fileFilter)/,
-          /upload\.(?:single|array|fields)\s*\(/
-        ],
-        negativePatterns: [/fileFilter|limits|whitelist|allowedTypes/],
-        message: "File upload may lack proper restrictions",
-        fix: "Validate file type, size, and name"
-      }
-    ]
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // A05:2021 - SECURITY MISCONFIGURATION
-  // ─────────────────────────────────────────────────────────────────────────────
-  "A05": {
-    id: "A05",
-    name: "Security Misconfiguration",
-    description: "Missing security hardening or improperly configured permissions",
-    cwe: ["CWE-16", "CWE-209", "CWE-548"],
-    rules: [
-      {
-        id: "A05-debug-enabled",
-        name: "Debug Mode Enabled",
-        severity: "high",
-        patterns: [
-          /DEBUG\s*[:=]\s*(?:true|1|['"]true['"])/i,
-          /\.set\s*\(\s*['"]debug['"]\s*,\s*true\s*\)/,
-          /NODE_ENV\s*[:=]\s*['"]development['"]/
-        ],
-        filePatterns: [/\.env\.prod|config.*prod|production/i],
-        message: "Debug mode may be enabled in production",
-        fix: "Ensure DEBUG is disabled and NODE_ENV is 'production'"
-      },
-      {
-        id: "A05-cors-wildcard",
-        name: "CORS Wildcard",
-        severity: "high",
-        patterns: [
-          /cors\s*\(\s*\{\s*origin\s*:\s*['"]\*['"]/,
-          /Access-Control-Allow-Origin['"]\s*,\s*['"]\*/,
-          /origin\s*:\s*true/
-        ],
-        message: "CORS allows all origins",
-        fix: "Restrict CORS to specific trusted origins"
-      },
-      {
-        id: "A05-helmet-missing",
-        name: "Missing Security Headers",
-        severity: "medium",
-        patterns: [
-          /app\.use\s*\(\s*express\s*\(/
-        ],
-        negativePatterns: [/helmet|security-headers/],
-        message: "Express app may be missing security headers",
-        fix: "Use helmet middleware for security headers"
-      },
-      {
-        id: "A05-default-credentials",
-        name: "Default Credentials",
-        severity: "critical",
-        patterns: [
-          /(?:password|pwd)\s*[:=]\s*['"](?:admin|password|123456|default|root)['"]/i,
-          /(?:username|user)\s*[:=]\s*['"](?:admin|root|user)['"]/i
-        ],
-        message: "Possible default or weak credentials",
-        fix: "Use strong, unique credentials"
-      },
-      {
-        id: "A05-exposed-stack",
-        name: "Exposed Stack Trace",
-        severity: "medium",
-        patterns: [
-          /res\.(?:send|json)\s*\(\s*(?:err|error)\.stack/,
-          /console\.(?:log|error)\s*\(\s*(?:err|error)\.stack/
-        ],
-        message: "Stack traces may be exposed to clients",
-        fix: "Hide stack traces in production responses"
-      }
-    ]
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // A06:2021 - VULNERABLE COMPONENTS
-  // ─────────────────────────────────────────────────────────────────────────────
-  "A06": {
-    id: "A06",
-    name: "Vulnerable and Outdated Components",
-    description: "Using components with known vulnerabilities",
-    cwe: ["CWE-937", "CWE-1035", "CWE-1104"],
-    rules: [
-      {
-        id: "A06-outdated-package",
-        name: "Outdated Package",
-        severity: "medium",
-        checkDependencies: true,
-        message: "Package may have known vulnerabilities",
-        fix: "Run npm audit and update vulnerable packages"
-      },
-      {
-        id: "A06-deprecated-api",
-        name: "Deprecated API Usage",
-        severity: "low",
-        patterns: [
-          /new\s+Buffer\s*\(/,
-          /escape\s*\(/,
-          /unescape\s*\(/,
-          /\.substr\s*\(/
-        ],
-        message: "Using deprecated API",
-        fix: "Use modern alternatives"
-      }
-    ]
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // A07:2021 - AUTHENTICATION FAILURES
-  // ─────────────────────────────────────────────────────────────────────────────
-  "A07": {
-    id: "A07",
-    name: "Identification and Authentication Failures",
-    description: "Weak or broken authentication mechanisms",
-    cwe: ["CWE-287", "CWE-288", "CWE-384", "CWE-521", "CWE-613"],
-    rules: [
-      {
-        id: "A07-weak-password",
-        name: "Weak Password Requirements",
-        severity: "high",
-        patterns: [
-          /password\.length\s*[<>=]+\s*[1-7]\b/,
-          /minLength\s*:\s*[1-7]\b.*password/i
-        ],
-        message: "Weak password length requirement",
-        fix: "Require passwords of at least 8 characters"
-      },
-      {
-        id: "A07-jwt-none",
-        name: "JWT Algorithm None",
-        severity: "critical",
-        patterns: [
-          /algorithm\s*:\s*['"]none['"]/i,
-          /algorithms\s*:\s*\[.*['"]none['"]/i
-        ],
-        message: "JWT allows 'none' algorithm",
-        fix: "Specify explicit algorithms, exclude 'none'"
-      },
-      {
-        id: "A07-session-fixation",
-        name: "Session Fixation Risk",
-        severity: "high",
-        patterns: [
-          /req\.session\s*=\s*\{/
-        ],
-        negativePatterns: [/regenerate|destroy|reset/],
-        message: "Session may be vulnerable to fixation",
-        fix: "Regenerate session ID after authentication"
-      },
-      {
-        id: "A07-credential-logging",
-        name: "Credential Logging",
-        severity: "critical",
-        patterns: [
-          /console\.(?:log|info|debug)\s*\([^)]*(?:password|token|secret|key|credential)/i,
-          /logger\.(?:log|info|debug)\s*\([^)]*(?:password|token|secret)/i
-        ],
-        message: "Credentials may be logged",
-        fix: "Never log sensitive credentials"
-      },
-      {
-        id: "A07-insecure-cookie",
-        name: "Insecure Cookie Settings",
-        severity: "high",
-        patterns: [
-          /cookie\s*:\s*\{(?!.*secure\s*:\s*true)/,
-          /cookie\s*:\s*\{(?!.*httpOnly\s*:\s*true)/,
-          /res\.cookie\s*\([^)]+\)(?!.*secure)/
-        ],
-        message: "Cookie may lack secure settings",
-        fix: "Set secure, httpOnly, and sameSite cookie flags"
-      }
-    ]
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // A08:2021 - DATA INTEGRITY FAILURES
-  // ─────────────────────────────────────────────────────────────────────────────
-  "A08": {
-    id: "A08",
-    name: "Software and Data Integrity Failures",
-    description: "Code and infrastructure without integrity verification",
-    cwe: ["CWE-345", "CWE-353", "CWE-426", "CWE-494", "CWE-502"],
-    rules: [
-      {
-        id: "A08-unsafe-deserialization",
-        name: "Unsafe Deserialization",
-        severity: "critical",
-        patterns: [
-          /JSON\.parse\s*\(\s*(?:req\.body|userInput|data)/,
-          /unserialize\s*\(/,
-          /pickle\.loads?\s*\(/,
-          /yaml\.load\s*\(/
-        ],
-        message: "Unsafe deserialization of user input",
-        fix: "Validate and sanitize before deserialization"
-      },
-      {
-        id: "A08-eval-data",
-        name: "Eval of External Data",
-        severity: "critical",
-        patterns: [
-          /eval\s*\(\s*(?:req\.|data|input|response)/,
-          /new\s+Function\s*\([^)]*(?:req\.|data)/
-        ],
-        message: "Evaluating external data is dangerous",
-        fix: "Never use eval() with external data"
-      },
-      {
-        id: "A08-unsigned-update",
-        name: "Unsigned Software Updates",
-        severity: "high",
-        patterns: [
-          /auto[_-]?update|self[_-]?update/i
-        ],
-        negativePatterns: [/verify|signature|checksum|hash/i],
-        message: "Software update may lack integrity verification",
-        fix: "Verify signatures before applying updates"
-      }
-    ]
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // A09:2021 - SECURITY LOGGING FAILURES
-  // ─────────────────────────────────────────────────────────────────────────────
-  "A09": {
-    id: "A09",
-    name: "Security Logging and Monitoring Failures",
-    description: "Insufficient logging and monitoring",
-    cwe: ["CWE-117", "CWE-223", "CWE-532", "CWE-778"],
-    rules: [
-      {
-        id: "A09-no-auth-logging",
-        name: "Missing Authentication Logging",
-        severity: "medium",
-        patterns: [
-          /(?:login|authenticate|signin)\s*(?:=|:)\s*async/i
-        ],
-        negativePatterns: [/log|audit|track|record/i],
-        message: "Authentication may not be logged",
-        fix: "Log authentication attempts with timestamps"
-      },
-      {
-        id: "A09-sensitive-logging",
-        name: "Sensitive Data in Logs",
-        severity: "high",
-        patterns: [
-          /(?:logger|console|winston|pino)\.(?:log|info|debug|error)\s*\([^)]*(?:password|credit|ssn|token)/i
-        ],
-        message: "Sensitive data may be logged",
-        fix: "Mask or exclude sensitive data from logs"
-      },
-      {
-        id: "A09-log-injection",
-        name: "Log Injection",
-        severity: "medium",
-        patterns: [
-          /console\.log\s*\(\s*[`'"].*\$\{.*req\./,
-          /logger\.(?:log|info)\s*\(\s*req\.(?:body|params|query)/
-        ],
-        message: "User input in logs may enable log injection",
-        fix: "Sanitize user input before logging"
-      }
-    ]
-  },
-
-  // ─────────────────────────────────────────────────────────────────────────────
-  // A10:2021 - SERVER-SIDE REQUEST FORGERY
-  // ─────────────────────────────────────────────────────────────────────────────
-  "A10": {
-    id: "A10",
-    name: "Server-Side Request Forgery (SSRF)",
-    description: "Fetching remote resources without validating user input",
-    cwe: ["CWE-918"],
-    rules: [
-      {
-        id: "A10-ssrf",
-        name: "SSRF Vulnerability",
-        severity: "critical",
-        patterns: [
-          /fetch\s*\(\s*(?:req\.(?:body|query|params)|url|uri)/,
-          /axios\.(?:get|post|put)\s*\(\s*(?:req\.(?:body|query)|url)/,
-          /request\s*\(\s*(?:req\.(?:body|query)|options\.url)/,
-          /http\.(?:get|request)\s*\(\s*(?:req\.|url)/
-        ],
-        message: "Potential SSRF - user input used in server-side request",
-        fix: "Validate and allowlist URLs, block internal IPs"
-      },
-      {
-        id: "A10-open-redirect",
-        name: "Open Redirect",
-        severity: "medium",
-        patterns: [
-          /res\.redirect\s*\(\s*req\.(?:query|body|params)\.(?:url|redirect|next|return)/,
-          /window\.location\s*=\s*(?:params|query|data)\./
-        ],
-        message: "Potential open redirect vulnerability",
-        fix: "Validate redirect URLs against allowlist"
-      }
-    ]
-  }
-};
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// OWASP SCANNER ENGINE
-// ═══════════════════════════════════════════════════════════════════════════════
-
-class OWASPScanner {
-  constructor(options = {}) {
-    this.projectRoot = options.projectRoot || process.cwd();
-    this.rules = { ...OWASP_RULES };
-    this.ignorePaths = options.ignorePaths || [
-      "**/node_modules/**",
-      "**/dist/**",
-      "**/build/**",
-      "**/*.test.*",
-      "**/*.spec.*",
-      "**/test/**",
-      "**/tests/**"
-    ];
-    this.results = [];
-  }
-
-  /**
-   * Scan a single file
-   */
-  scanFile(filePath, content = null) {
-    const findings = [];
-    
-    // Read file if content not provided
-    if (content === null) {
-      const fullPath = path.isAbsolute(filePath) 
-        ? filePath 
-        : path.join(this.projectRoot, filePath);
-      
-      if (!fs.existsSync(fullPath)) {
-        return { file: filePath, findings: [], error: "File not found" };
-      }
-      
-      content = fs.readFileSync(fullPath, "utf8");
-    }
-
-    // Apply each category's rules
-    for (const [categoryId, category] of Object.entries(this.rules)) {
-      for (const rule of category.rules) {
-        // Skip dependency checks for now
-        if (rule.checkDependencies) continue;
-        
-        // Check file pattern match
-        if (rule.filePatterns) {
-          const matches = rule.filePatterns.some(p => p.test(filePath));
-          if (!matches) continue;
-        }
-
-        // Check context if specified
-        if (rule.context && !rule.context.test(content)) {
-          continue;
-        }
-
-        // Check patterns
-        for (const pattern of (rule.patterns || [])) {
-          const regex = new RegExp(pattern.source, "gm");
-          let match;
-          
-          while ((match = regex.exec(content)) !== null) {
-            // Check negative patterns (should NOT match)
-            if (rule.negativePatterns) {
-              const context = content.substring(
-                Math.max(0, match.index - 200),
-                Math.min(content.length, match.index + match[0].length + 200)
-              );
-              
-              const hasNegative = rule.negativePatterns.some(np => np.test(context));
-              if (hasNegative) continue;
-            }
-
-            const line = content.substring(0, match.index).split("\n").length;
-            
-            findings.push({
-              ruleId: rule.id,
-              ruleName: rule.name,
-              category: categoryId,
-              categoryName: category.name,
-              severity: rule.severity,
-              file: filePath,
-              line,
-              match: match[0].substring(0, 100),
-              message: rule.message,
-              fix: rule.fix,
-              cwe: category.cwe?.[0]
-            });
-          }
-        }
-      }
-    }
-
-    return {
-      file: filePath,
-      findings,
-      summary: this.summarizeFindings(findings)
-    };
-  }
-
-  /**
-   * Scan multiple files
-   */
-  scanFiles(files) {
-    this.results = [];
-    
-    for (const file of files) {
-      const filePath = typeof file === "string" ? file : file.path;
-      const content = typeof file === "string" ? null : file.content;
-      
-      // Skip ignored paths
-      if (this.shouldIgnore(filePath)) continue;
-
-      const result = this.scanFile(filePath, content);
-      
-      if (result.findings.length > 0) {
-        this.results.push(result);
-      }
-    }
-
-    return {
-      files: this.results,
-      totalFindings: this.results.reduce((sum, r) => sum + r.findings.length, 0),
-      summary: this.generateOverallSummary()
-    };
-  }
-
-  /**
-   * Scan entire directory
-   */
-  scanDirectory(dirPath = this.projectRoot) {
-    const files = this.collectFiles(dirPath);
-    return this.scanFiles(files);
-  }
-
-  /**
-   * Collect scannable files
-   */
-  collectFiles(dirPath, collected = []) {
-    const extensions = [".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs"];
-    
-    try {
-      const entries = fs.readdirSync(dirPath, { withFileTypes: true });
-      
-      for (const entry of entries) {
-        const fullPath = path.join(dirPath, entry.name);
-        const relativePath = path.relative(this.projectRoot, fullPath);
-        
-        if (this.shouldIgnore(relativePath)) continue;
-        
-        if (entry.isDirectory()) {
-          this.collectFiles(fullPath, collected);
-        } else if (extensions.some(ext => entry.name.endsWith(ext))) {
-          collected.push(relativePath);
-        }
-      }
-    } catch {
-      // Skip unreadable directories
-    }
-    
-    return collected;
-  }
-
-  /**
-   * Check if path should be ignored
-   */
-  shouldIgnore(filePath) {
-    for (const pattern of this.ignorePaths) {
-      const regex = new RegExp(
-        pattern
-          .replace(/\*\*/g, ".*")
-          .replace(/\*/g, "[^/]*")
-      );
-      if (regex.test(filePath)) {
-        return true;
-      }
-    }
-    return false;
-  }
-
-  /**
-   * Summarize findings
-   */
-  summarizeFindings(findings) {
-    const bySeverity = {
-      critical: findings.filter(f => f.severity === "critical").length,
-      high: findings.filter(f => f.severity === "high").length,
-      medium: findings.filter(f => f.severity === "medium").length,
-      low: findings.filter(f => f.severity === "low").length
-    };
-
-    return {
-      total: findings.length,
-      bySeverity,
-      criticalOrHigh: bySeverity.critical + bySeverity.high
-    };
-  }
-
-  /**
-   * Generate overall summary
-   */
-  generateOverallSummary() {
-    const allFindings = this.results.flatMap(r => r.findings);
-    
-    const bySeverity = {
-      critical: allFindings.filter(f => f.severity === "critical"),
-      high: allFindings.filter(f => f.severity === "high"),
-      medium: allFindings.filter(f => f.severity === "medium"),
-      low: allFindings.filter(f => f.severity === "low")
-    };
-
-    const byCategory = {};
-    for (const finding of allFindings) {
-      if (!byCategory[finding.category]) {
-        byCategory[finding.category] = [];
-      }
-      byCategory[finding.category].push(finding);
-    }
-
-    // Calculate security score
-    const score = this.calculateSecurityScore(bySeverity);
-
-    return {
-      filesScanned: this.results.length,
-      totalFindings: allFindings.length,
-      bySeverity: {
-        critical: bySeverity.critical.length,
-        high: bySeverity.high.length,
-        medium: bySeverity.medium.length,
-        low: bySeverity.low.length
-      },
-      byCategory: Object.fromEntries(
-        Object.entries(byCategory).map(([k, v]) => [k, v.length])
-      ),
-      securityScore: score,
-      owaspCoverage: this.getOWASPCoverage(byCategory)
-    };
-  }
-
-  /**
-   * Calculate security score (0-100)
-   */
-  calculateSecurityScore(bySeverity) {
-    // Weight: critical = 25, high = 10, medium = 5, low = 2
-    const deductions = 
-      bySeverity.critical.length * 25 +
-      bySeverity.high.length * 10 +
-      bySeverity.medium.length * 5 +
-      bySeverity.low.length * 2;
-    
-    return Math.max(0, 100 - deductions);
-  }
-
-  /**
-   * Get OWASP Top 10 coverage
-   */
-  getOWASPCoverage(byCategory) {
-    const coverage = {};
-    
-    for (const categoryId of Object.keys(this.rules)) {
-      const findings = byCategory[categoryId] || [];
-      coverage[categoryId] = {
-        name: this.rules[categoryId].name,
-        findings: findings.length,
-        status: findings.length === 0 ? "PASS" : 
-                findings.some(f => f.severity === "critical") ? "CRITICAL" :
-                findings.some(f => f.severity === "high") ? "FAIL" : "WARN"
-      };
-    }
-    
-    return coverage;
-  }
-
-  /**
-   * Generate security report
-   */
-  generateReport() {
-    const summary = this.generateOverallSummary();
-    
-    return {
-      timestamp: new Date().toISOString(),
-      summary,
-      owaspCoverage: summary.owaspCoverage,
-      criticalFindings: this.results
-        .flatMap(r => r.findings)
-        .filter(f => f.severity === "critical")
-        .map(f => ({
-          file: f.file,
-          line: f.line,
-          rule: f.ruleName,
-          message: f.message,
-          fix: f.fix
-        })),
-      recommendations: this.generateRecommendations(summary)
-    };
-  }
-
-  /**
-   * Generate security recommendations
-   */
-  generateRecommendations(summary) {
-    const recommendations = [];
-    
-    for (const [categoryId, data] of Object.entries(summary.owaspCoverage)) {
-      if (data.status !== "PASS") {
-        const category = this.rules[categoryId];
-        recommendations.push({
-          category: categoryId,
-          name: category.name,
-          priority: data.status === "CRITICAL" ? "immediate" : "high",
-          description: category.description,
-          affectedAreas: data.findings,
-          cwe: category.cwe
-        });
-      }
-    }
-    
-    return recommendations.sort((a, b) => {
-      const priority = { immediate: 0, high: 1, medium: 2, low: 3 };
-      return priority[a.priority] - priority[b.priority];
-    });
-  }
-}
-
-// ═══════════════════════════════════════════════════════════════════════════════
-// EXPORTS
-// ═══════════════════════════════════════════════════════════════════════════════
-
-module.exports = {
-  OWASPScanner,
-  OWASP_RULES
-};