npm - @zerothreatai/vulnerability-registry - Versions diffs - 3.0.0 → 5.0.0 - Mend

@zerothreatai/vulnerability-registry 3.0.0 → 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

package/dist/categories/authentication.js +34 -17
package/dist/categories/configuration.js +561 -60
package/dist/categories/injection.js +68 -34
package/dist/categories/sensitive-paths.js +168 -84
package/dist/categories/ssrf.js +22 -11
package/dist/categories/xss.js +30 -15
package/dist/category.d.ts +6 -0
package/dist/category.js +15 -0
package/dist/error-codes.d.ts +20 -0
package/dist/error-codes.js +20 -0
package/dist/index.d.ts +9 -1
package/dist/index.js +5 -1
package/dist/scanner.d.ts +6 -0
package/dist/scanner.js +22 -0
package/dist/types.d.ts +2 -0
package/dist-cjs/categories/authentication.js +34 -17
package/dist-cjs/categories/configuration.js +561 -60
package/dist-cjs/categories/injection.js +68 -34
package/dist-cjs/categories/sensitive-paths.js +168 -84
package/dist-cjs/categories/ssrf.js +22 -11
package/dist-cjs/categories/xss.js +30 -15
package/dist-cjs/category.js +18 -0
package/dist-cjs/error-codes.js +20 -0
package/dist-cjs/index.js +7 -1
package/dist-cjs/scanner.js +25 -0
package/package.json +35 -32
package/scripts/assign-ids.ts +105 -0
package/scripts/check-duplicate-ids.ts +45 -0
package/src/categories/authentication.ts +145 -128
package/src/categories/configuration.ts +1632 -1111
package/src/categories/injection.ts +158 -124
package/src/categories/sensitive-paths.ts +168 -84
package/src/categories/ssrf.ts +22 -11
package/src/categories/xss.ts +30 -15
package/src/category.ts +16 -0
package/src/error-codes.ts +25 -5
package/src/id-registry.json +1235 -0
package/src/index.ts +20 -14
package/src/scanner.ts +23 -0
package/src/types.ts +4 -2
package/zerothreatai-vulnerability-registry-4npm .0.0.tgz +0 -0
package/src/categories/authentication.d.ts +0 -8
package/src/categories/authentication.d.ts.map +0 -1
package/src/categories/authentication.js +0 -378
package/src/categories/authentication.js.map +0 -1
package/src/categories/configuration.d.ts +0 -8
package/src/categories/configuration.d.ts.map +0 -1
package/src/categories/configuration.js +0 -906
package/src/categories/configuration.js.map +0 -1
package/src/categories/injection.d.ts +0 -8
package/src/categories/injection.d.ts.map +0 -1
package/src/categories/injection.js +0 -750
package/src/categories/injection.js.map +0 -1
package/src/categories/sensitive-paths.d.ts +0 -9
package/src/categories/sensitive-paths.d.ts.map +0 -1
package/src/categories/sensitive-paths.js +0 -1791
package/src/categories/sensitive-paths.js.map +0 -1
package/src/categories/ssrf.d.ts +0 -8
package/src/categories/ssrf.d.ts.map +0 -1
package/src/categories/ssrf.js +0 -250
package/src/categories/ssrf.js.map +0 -1
package/src/categories/xss.d.ts +0 -7
package/src/categories/xss.d.ts.map +0 -1
package/src/categories/xss.js +0 -328
package/src/categories/xss.js.map +0 -1
package/src/error-codes.d.ts +0 -242
package/src/error-codes.d.ts.map +0 -1
package/src/error-codes.js +0 -315
package/src/error-codes.js.map +0 -1
package/src/index.d.ts +0 -60
package/src/index.d.ts.map +0 -1
package/src/index.js +0 -107
package/src/index.js.map +0 -1
package/src/types.d.ts +0 -86
package/src/types.d.ts.map +0 -1
package/src/types.js +0 -7
package/src/types.js.map +0 -1

package/src/categories/configuration.js DELETED Viewed

@@ -1,906 +0,0 @@
-"use strict";
-/**
- * Vulnerability Registry - Configuration & Headers
- *
- * Definitions for Security Headers, Directory Browsing, and related issues
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.CONFIG_VULNERABILITIES = void 0;
-const error_codes_js_1 = require("../error-codes.js");
-exports.CONFIG_VULNERABILITIES = {
-    // ========================================
-    // SECURITY HEADERS
-    // ========================================
-    [error_codes_js_1.VulnerabilityCode.HEADER_MISSING_CSP]: {
-        id: 69,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_MISSING_CSP,
-        title: 'Missing Security Header - Content-Security-Policy',
-        description: 'The application does not implement Content-Security-Policy header, leaving it vulnerable to cross-site scripting attacks that could be mitigated by restricting the sources from which scripts, styles, and other resources can be loaded into the page.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 5.3,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Implement Content-Security-Policy header with strict directives. Start with default-src self and progressively add required sources. Use nonce-based CSP for inline scripts.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_MISSING_HSTS]: {
-        id: 70,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_MISSING_HSTS,
-        title: 'Missing Security Header - Strict-Transport-Security',
-        description: 'The application does not implement HSTS (HTTP Strict Transport Security) header, leaving users vulnerable to SSL stripping attacks and man-in-the-middle downgrades from HTTPS to HTTP connections on initial visits or after cookie expiration.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 5.3,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-319', name: 'Cleartext Transmission', url: 'https://cwe.mitre.org/data/definitions/319.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Add Strict-Transport-Security header with max-age of at least 31536000 (1 year). Include includeSubDomains directive. Consider HSTS preloading for maximum protection.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_MISSING_XFRAME]: {
-        id: 71,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_MISSING_XFRAME,
-        title: 'Missing Security Header - X-Frame-Options',
-        description: 'The application does not set X-Frame-Options header, making it vulnerable to clickjacking attacks where malicious websites can embed the application in invisible iframes and trick users into performing unintended actions through deceptive UI overlays.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 4.7,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-1021', name: 'Improper Restriction of Rendered UI Layers', url: 'https://cwe.mitre.org/data/definitions/1021.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Set X-Frame-Options header to DENY or SAMEORIGIN. Use Content-Security-Policy frame-ancestors directive for more granular control. Both headers can be used together for compatibility.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_WEAK_CSP]: {
-        id: 72,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_WEAK_CSP,
-        title: 'Weak Content-Security-Policy Configuration',
-        description: 'The Content-Security-Policy header contains unsafe directives like unsafe-inline, unsafe-eval, or overly permissive source allowlists that significantly reduce its effectiveness as an XSS mitigation and may create false sense of security.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 5.3,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Remove unsafe-inline and unsafe-eval directives. Use nonce-based or hash-based CSP for inline scripts. Restrict source allowlists to specific trusted domains rather than wildcards.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_CORS_MISCONFIGURED]: {
-        id: 73,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_CORS_MISCONFIGURED,
-        title: 'CORS Misconfiguration',
-        description: 'Cross-Origin Resource Sharing is misconfigured with overly permissive Access-Control-Allow-Origin headers including wildcard (*) with credentials, or dynamic reflection of Origin header without proper validation, enabling cross-origin data theft.',
-        severity: 'high',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 7.5,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-942', name: 'Permissive CORS Policy', url: 'https://cwe.mitre.org/data/definitions/942.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Implement strict Origin validation with allowlist of trusted domains. Never reflect Origin header without validation. Do not use wildcard with Access-Control-Allow-Credentials.',
-    },
-    // ========================================
-    // DIRECTORY BROWSING
-    // ========================================
-    [error_codes_js_1.VulnerabilityCode.DIRBROWSE_ENABLED]: {
-        id: 74,
-        code: error_codes_js_1.VulnerabilityCode.DIRBROWSE_ENABLED,
-        title: 'Directory Listing Enabled',
-        description: 'Web server directory listing is enabled, exposing the contents of directories to anyone who browses to them without an index file. This reveals application structure, backup files, configuration files, and potentially sensitive data to attackers.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'directory-browsing',
-        cvss: {
-            score: 3.7,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-548', name: 'Directory Listing', url: 'https://cwe.mitre.org/data/definitions/548.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Disable directory listing in web server configuration (Options -Indexes in Apache, autoindex off in nginx). Ensure all directories have proper index files.',
-    },
-    [error_codes_js_1.VulnerabilityCode.DIRBROWSE_SENSITIVE]: {
-        id: 75,
-        code: error_codes_js_1.VulnerabilityCode.DIRBROWSE_SENSITIVE,
-        title: 'Directory Listing Exposing Sensitive Content',
-        description: 'Directory listing is enabled on a directory containing sensitive files like backups, configuration files, source code, or credentials. This elevates the risk significantly as attackers can directly access sensitive information without guessing filenames.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'directory-browsing',
-        cvss: {
-            score: 5.3,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-548', name: 'Directory Listing', url: 'https://cwe.mitre.org/data/definitions/548.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Immediately disable directory listing. Remove sensitive files from web-accessible directories. Implement proper access controls. Audit exposed content for credentials or sensitive data.',
-    },
-    // ========================================
-    // CLICKJACKING
-    // ========================================
-    [error_codes_js_1.VulnerabilityCode.CLICK_FRAMEABLE]: {
-        id: 76,
-        code: error_codes_js_1.VulnerabilityCode.CLICK_FRAMEABLE,
-        title: 'Clickjacking - Page Frameable',
-        description: 'The application pages can be embedded in iframes on malicious websites, enabling clickjacking attacks where attackers overlay transparent frames over deceptive UI elements to trick users into clicking hidden buttons or links that perform unintended actions.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 4.7,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-1021', name: 'Improper Restriction of Rendered UI Layers', url: 'https://cwe.mitre.org/data/definitions/1021.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Implement X-Frame-Options header with DENY or SAMEORIGIN value. Use Content-Security-Policy frame-ancestors directive. Add JavaScript frame-busting code as defense in depth.',
-    },
-    // ========================================
-    // DESERIALIZATION
-    // ========================================
-    [error_codes_js_1.VulnerabilityCode.DESER_JAVA]: {
-        id: 77,
-        code: error_codes_js_1.VulnerabilityCode.DESER_JAVA,
-        title: 'Insecure Deserialization - Java',
-        description: 'Critical Java deserialization vulnerability where untrusted serialized objects are processed, allowing attackers to achieve remote code execution through gadget chains in common libraries like Apache Commons Collections, Spring Framework, or other classpath dependencies.',
-        severity: 'critical',
-        category: 'injection',
-        scanner: 'deserialization',
-        cvss: {
-            score: 9.8,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H',
-            severity: 'CRITICAL',
-        },
-        cwe: [
-            { id: 'CWE-502', name: 'Deserialization of Untrusted Data', url: 'https://cwe.mitre.org/data/definitions/502.html' },
-        ],
-        owasp: [
-            { id: 'A08:2021', name: 'Software and Data Integrity Failures', url: 'https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/' },
-        ],
-        remediation: 'Do not deserialize untrusted data. Use JSON or XML instead of Java serialization. Implement ObjectInputFilter (JEP 290) to restrict deserializable classes. Remove vulnerable gadget libraries.',
-    },
-    [error_codes_js_1.VulnerabilityCode.DESER_PHP]: {
-        id: 78,
-        code: error_codes_js_1.VulnerabilityCode.DESER_PHP,
-        title: 'Insecure Deserialization - PHP',
-        description: 'Critical PHP deserialization vulnerability where unserialize() processes attacker-controlled data, enabling object injection attacks through magic methods like __wakeup(), __destruct(), or __toString() in application or framework classes for remote code execution.',
-        severity: 'critical',
-        category: 'injection',
-        scanner: 'deserialization',
-        cvss: {
-            score: 9.8,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H',
-            severity: 'CRITICAL',
-        },
-        cwe: [
-            { id: 'CWE-502', name: 'Deserialization of Untrusted Data', url: 'https://cwe.mitre.org/data/definitions/502.html' },
-        ],
-        owasp: [
-            { id: 'A08:2021', name: 'Software and Data Integrity Failures', url: 'https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/' },
-        ],
-        remediation: 'Never pass user input to unserialize(). Use json_decode() instead. If serialization is required, use allowed_classes option with explicit allowlist. Audit code for pop chains.',
-    },
-    [error_codes_js_1.VulnerabilityCode.DESER_PYTHON]: {
-        id: 79,
-        code: error_codes_js_1.VulnerabilityCode.DESER_PYTHON,
-        title: 'Insecure Deserialization - Python',
-        description: 'Critical Python deserialization vulnerability through pickle/cPickle processing of untrusted data, enabling remote code execution via __reduce__ method exploitation. Python pickle is inherently unsafe and should never process untrusted input.',
-        severity: 'critical',
-        category: 'injection',
-        scanner: 'deserialization',
-        cvss: {
-            score: 9.8,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H',
-            severity: 'CRITICAL',
-        },
-        cwe: [
-            { id: 'CWE-502', name: 'Deserialization of Untrusted Data', url: 'https://cwe.mitre.org/data/definitions/502.html' },
-        ],
-        owasp: [
-            { id: 'A08:2021', name: 'Software and Data Integrity Failures', url: 'https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/' },
-        ],
-        remediation: 'Never pickle untrusted data. Use JSON or other safe formats. If pickle is required, use cryptographic signatures to verify data integrity before deserialization.',
-    },
-    [error_codes_js_1.VulnerabilityCode.DESER_DOTNET]: {
-        id: 80,
-        code: error_codes_js_1.VulnerabilityCode.DESER_DOTNET,
-        title: 'Insecure Deserialization - .NET',
-        description: 'Critical .NET deserialization vulnerability through BinaryFormatter, ObjectStateFormatter, LosFormatter, or other dangerous formatters processing untrusted data, enabling remote code execution through gadget chains in the .NET runtime or third-party libraries.',
-        severity: 'critical',
-        category: 'injection',
-        scanner: 'deserialization',
-        cvss: {
-            score: 9.8,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H',
-            severity: 'CRITICAL',
-        },
-        cwe: [
-            { id: 'CWE-502', name: 'Deserialization of Untrusted Data', url: 'https://cwe.mitre.org/data/definitions/502.html' },
-        ],
-        owasp: [
-            { id: 'A08:2021', name: 'Software and Data Integrity Failures', url: 'https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/' },
-        ],
-        remediation: 'Avoid BinaryFormatter for untrusted data. Use System.Text.Json or XmlSerializer with known types. For legacy code, implement SerializationBinder to restrict deserializable types.',
-    },
-    [error_codes_js_1.VulnerabilityCode.DESER_RUBY]: {
-        id: 81,
-        code: error_codes_js_1.VulnerabilityCode.DESER_RUBY,
-        title: 'Insecure Deserialization - Ruby',
-        description: 'Critical Ruby deserialization vulnerability through Marshal.load or YAML.load processing untrusted data, enabling remote code execution through Ruby object instantiation gadgets that execute arbitrary code during object reconstruction.',
-        severity: 'critical',
-        category: 'injection',
-        scanner: 'deserialization',
-        cvss: {
-            score: 9.8,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H',
-            severity: 'CRITICAL',
-        },
-        cwe: [
-            { id: 'CWE-502', name: 'Deserialization of Untrusted Data', url: 'https://cwe.mitre.org/data/definitions/502.html' },
-        ],
-        owasp: [
-            { id: 'A08:2021', name: 'Software and Data Integrity Failures', url: 'https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/' },
-        ],
-        remediation: 'Never Marshal.load untrusted data. Use JSON.parse instead. For YAML, use YAML.safe_load with permitted_classes option. Sign serialized data with HMAC for integrity.',
-    },
-    [error_codes_js_1.VulnerabilityCode.DESER_NODE]: {
-        id: 82,
-        code: error_codes_js_1.VulnerabilityCode.DESER_NODE,
-        title: 'Insecure Deserialization - Node.js',
-        description: 'Critical Node.js deserialization vulnerability through node-serialize, funcster, or similar libraries that execute JavaScript during deserialization, enabling remote code execution when attacker-controlled serialized data containing functions or IIFE is processed.',
-        severity: 'critical',
-        category: 'injection',
-        scanner: 'deserialization',
-        cvss: {
-            score: 9.8,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H',
-            severity: 'CRITICAL',
-        },
-        cwe: [
-            { id: 'CWE-502', name: 'Deserialization of Untrusted Data', url: 'https://cwe.mitre.org/data/definitions/502.html' },
-        ],
-        owasp: [
-            { id: 'A08:2021', name: 'Software and Data Integrity Failures', url: 'https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/' },
-        ],
-        remediation: 'Never use serialization libraries that can deserialize functions. Use JSON.parse() for data interchange. Avoid node-serialize and similar libraries. Implement input validation.',
-    },
-    [error_codes_js_1.VulnerabilityCode.CLICK_PARTIAL_PROTECTION]: {
-        id: 83,
-        code: error_codes_js_1.VulnerabilityCode.CLICK_PARTIAL_PROTECTION,
-        title: 'Clickjacking - Partial Protection',
-        description: 'Incomplete clickjacking protection where X-Frame-Options or frame-ancestors CSP is only applied on some pages, uses weak values like ALLOW-FROM with bypassable origins, or has inconsistent implementation allowing certain pages to be framed.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.7,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-1021', name: 'Improper Restriction of Rendered UI Layers', url: 'https://cwe.mitre.org/data/definitions/1021.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Apply consistent frame protection across all pages. Use DENY or SAMEORIGIN rather than ALLOW-FROM. Audit all endpoints for missing protection. Use CSP frame-ancestors instead of X-Frame-Options.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_MISSING_XCONTENT_TYPE]: {
-        id: 84,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_MISSING_XCONTENT_TYPE,
-        title: 'Missing Security Header - X-Content-Type-Options',
-        description: 'The application does not set X-Content-Type-Options: nosniff header, allowing browsers to perform MIME-type sniffing that can lead to XSS attacks when user-uploaded content is served with incorrect Content-Type and browsers execute it as script.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.7,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Add X-Content-Type-Options: nosniff header to all responses. Ensure correct Content-Type headers are set for all resources. Validate file types before serving user uploads.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_MISSING_REFERRER_POLICY]: {
-        id: 85,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_MISSING_REFERRER_POLICY,
-        title: 'Missing Security Header - Referrer-Policy',
-        description: 'The application does not implement Referrer-Policy header, potentially leaking sensitive URL information including session tokens, user IDs, or query parameters to external sites when users click links or resources are loaded from third-party domains.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-200', name: 'Information Exposure', url: 'https://cwe.mitre.org/data/definitions/200.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Implement Referrer-Policy header with strict-origin-when-cross-origin or no-referrer policy. Avoid passing sensitive data in URLs. Use POST requests for sensitive operations.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_MISSING_PERMISSIONS_POLICY]: {
-        id: 86,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_MISSING_PERMISSIONS_POLICY,
-        title: 'Missing Security Header - Permissions-Policy',
-        description: 'The application does not implement Permissions-Policy (formerly Feature-Policy) header, allowing embedded frames or malicious scripts to access sensitive browser features like camera, microphone, geolocation, or payment APIs without explicit permission.',
-        severity: 'info',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 2.0,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Add Permissions-Policy header restricting access to sensitive features. Disable features not needed by the application. Use () syntax to disallow features for all origins.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_MISSING_XSS_PROTECTION]: {
-        id: 87,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_MISSING_XSS_PROTECTION,
-        title: 'Missing Security Header - X-XSS-Protection',
-        description: 'The legacy X-XSS-Protection header is not set. While deprecated in modern browsers, it can provide defense-in-depth for older browsers that still honor this header for their built-in XSS auditor feature.',
-        severity: 'info',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 0.0,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N',
-            severity: 'NONE',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Set X-XSS-Protection: 0 to disable (recommended per OWASP) or use CSP instead. The XSS auditor has been removed from modern browsers due to security issues with block mode.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_COEP_WITHOUT_COOP]: {
-        id: 108,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_COEP_WITHOUT_COOP,
-        title: 'Header Misconfiguration - COEP Without COOP',
-        description: 'Cross-Origin-Embedder-Policy (COEP) is set without Cross-Origin-Opener-Policy (COOP), which can create inconsistent cross-origin isolation behavior and indicate incomplete or misapplied security header strategy for isolation-sensitive applications.',
-        severity: 'info',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 2.0,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'If cross-origin isolation is required, deploy COEP together with COOP and validate the intended policy combination. Otherwise remove COEP to avoid confusing or inconsistent isolation posture.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_CORP_UNUSUAL]: {
-        id: 109,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_CORP_UNUSUAL,
-        title: 'Header Misconfiguration - Unusual CORP Value',
-        description: 'Cross-Origin-Resource-Policy (CORP) is set to a non-standard value, which may indicate a misconfiguration that provides no effective protection or creates unpredictable resource loading behavior across origins.',
-        severity: 'info',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 2.0,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Use valid CORP values (same-origin, same-site, or cross-origin) and confirm the chosen policy aligns with the resource sharing model of the application.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_EXPECT_CT_PRESENT]: {
-        id: 110,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_EXPECT_CT_PRESENT,
-        title: 'Deprecated Header - Expect-CT Present',
-        description: 'The Expect-CT header is present even though the feature is deprecated and no longer enforced by major browsers, adding unnecessary configuration surface without meaningful security benefit.',
-        severity: 'info',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 0.0,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N',
-            severity: 'NONE',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Remove Expect-CT unless you have a legacy operational requirement, and focus on TLS configuration and certificate transparency monitoring via modern tooling.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_SERVER_HEADER_PRESENT]: {
-        id: 111,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_SERVER_HEADER_PRESENT,
-        title: 'Information Exposure - Server Header Present',
-        description: 'The Server header reveals technology or version details that can assist attackers with fingerprinting and targeted exploitation, increasing the likelihood of tailored attacks against known software weaknesses.',
-        severity: 'info',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-200', name: 'Information Exposure', url: 'https://cwe.mitre.org/data/definitions/200.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Configure the web server or reverse proxy to minimize or remove Server header details and avoid exposing version strings in responses.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_X_POWERED_BY_PRESENT]: {
-        id: 112,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_X_POWERED_BY_PRESENT,
-        title: 'Information Exposure - X-Powered-By Present',
-        description: 'The X-Powered-By header discloses framework or runtime information that can be used to fingerprint the application stack and target known vulnerabilities in specific platforms or versions.',
-        severity: 'info',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-200', name: 'Information Exposure', url: 'https://cwe.mitre.org/data/definitions/200.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Disable X-Powered-By headers in application frameworks or reverse proxies to reduce stack fingerprinting exposure.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_X_XSS_PROTECTION_ENABLED]: {
-        id: 113,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_X_XSS_PROTECTION_ENABLED,
-        title: 'Deprecated Header - X-XSS-Protection Enabled',
-        description: 'The X-XSS-Protection header is enabled, which is deprecated and can introduce security risks or inconsistent behavior in legacy browsers due to the removed XSS auditor feature.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Prefer modern CSP protections and set X-XSS-Protection: 0 or remove the header to avoid relying on deprecated behavior.',
-    },
-    [error_codes_js_1.VulnerabilityCode.COOKIE_SAMESITE_NONE_WITHOUT_SECURE]: {
-        id: 114,
-        code: error_codes_js_1.VulnerabilityCode.COOKIE_SAMESITE_NONE_WITHOUT_SECURE,
-        title: 'Cookie Misconfiguration - SameSite=None Without Secure',
-        description: 'A cookie is configured with SameSite=None but lacks the Secure attribute, enabling cross-site transmission over unencrypted connections and undermining cookie integrity and confidentiality controls.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 5.3,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-614', name: 'Sensitive Cookie in HTTPS Session Without Secure Attribute', url: 'https://cwe.mitre.org/data/definitions/614.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Set Secure when SameSite=None is used and ensure the application is served exclusively over HTTPS.',
-    },
-    [error_codes_js_1.VulnerabilityCode.COOKIE_SESSION_MISSING_SECURE]: {
-        id: 115,
-        code: error_codes_js_1.VulnerabilityCode.COOKIE_SESSION_MISSING_SECURE,
-        title: 'Cookie Misconfiguration - Session Cookie Missing Secure',
-        description: 'Session or authentication cookies are missing the Secure attribute, allowing them to be transmitted over unencrypted connections and increasing the risk of session hijacking or credential theft.',
-        severity: 'high',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 7.1,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-614', name: 'Sensitive Cookie in HTTPS Session Without Secure Attribute', url: 'https://cwe.mitre.org/data/definitions/614.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Apply the Secure attribute to all session cookies and enforce HTTPS with HSTS to prevent downgrade to plaintext.',
-    },
-    [error_codes_js_1.VulnerabilityCode.COOKIE_MISSING_SECURE]: {
-        id: 116,
-        code: error_codes_js_1.VulnerabilityCode.COOKIE_MISSING_SECURE,
-        title: 'Cookie Misconfiguration - Missing Secure Attribute',
-        description: 'Cookies are set without the Secure attribute, permitting transmission over plaintext HTTP and exposing cookie contents to network interception or manipulation.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 5.3,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-614', name: 'Sensitive Cookie in HTTPS Session Without Secure Attribute', url: 'https://cwe.mitre.org/data/definitions/614.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Set the Secure attribute on cookies that should only be transmitted over HTTPS.',
-    },
-    [error_codes_js_1.VulnerabilityCode.COOKIE_SESSION_MISSING_HTTPONLY]: {
-        id: 117,
-        code: error_codes_js_1.VulnerabilityCode.COOKIE_SESSION_MISSING_HTTPONLY,
-        title: 'Cookie Misconfiguration - Session Cookie Missing HttpOnly',
-        description: 'Session or authentication cookies are missing the HttpOnly attribute, allowing client-side scripts to access sensitive cookie values and increasing the impact of XSS attacks.',
-        severity: 'high',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 7.1,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N',
-            severity: 'HIGH',
-        },
-        cwe: [
-            { id: 'CWE-1004', name: 'Sensitive Cookie Without HttpOnly Flag', url: 'https://cwe.mitre.org/data/definitions/1004.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Set HttpOnly on session cookies to reduce access from client-side scripts and pair with CSP to mitigate XSS risk.',
-    },
-    [error_codes_js_1.VulnerabilityCode.COOKIE_MISSING_HTTPONLY]: {
-        id: 118,
-        code: error_codes_js_1.VulnerabilityCode.COOKIE_MISSING_HTTPONLY,
-        title: 'Cookie Misconfiguration - Missing HttpOnly Attribute',
-        description: 'Cookies are missing the HttpOnly attribute, allowing JavaScript access to cookie values and increasing the potential impact of client-side script injection.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 5.3,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-1004', name: 'Sensitive Cookie Without HttpOnly Flag', url: 'https://cwe.mitre.org/data/definitions/1004.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Add HttpOnly to cookies that should not be accessed by JavaScript to reduce the impact of XSS.',
-    },
-    [error_codes_js_1.VulnerabilityCode.COOKIE_MISSING_SAMESITE]: {
-        id: 119,
-        code: error_codes_js_1.VulnerabilityCode.COOKIE_MISSING_SAMESITE,
-        title: 'Cookie Misconfiguration - Missing SameSite Attribute',
-        description: 'Cookies do not specify SameSite, which can allow cross-site requests to include cookies by default and increase exposure to CSRF-style attacks or cross-site leakage.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 4.3,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Set SameSite=Lax for general cookies or SameSite=Strict where appropriate to reduce cross-site cookie inclusion.',
-    },
-    [error_codes_js_1.VulnerabilityCode.COOKIE_HOST_PREFIX_INVALID]: {
-        id: 120,
-        code: error_codes_js_1.VulnerabilityCode.COOKIE_HOST_PREFIX_INVALID,
-        title: 'Cookie Misconfiguration - __Host- Prefix Violations',
-        description: 'Cookies with the __Host- prefix do not meet required attributes (Secure, Path=/, no Domain), weakening the protections provided by host-only cookie semantics.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 5.3,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Ensure __Host- cookies include Secure, Path=/, and omit the Domain attribute to preserve host-only guarantees.',
-    },
-    [error_codes_js_1.VulnerabilityCode.COOKIE_SECURE_PREFIX_INVALID]: {
-        id: 121,
-        code: error_codes_js_1.VulnerabilityCode.COOKIE_SECURE_PREFIX_INVALID,
-        title: 'Cookie Misconfiguration - __Secure- Prefix Violations',
-        description: 'Cookies with the __Secure- prefix are missing the Secure attribute, which defeats the prefix requirement and weakens transport security protections.',
-        severity: 'medium',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 5.3,
-            vector: 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N',
-            severity: 'MEDIUM',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Set the Secure attribute for all __Secure- cookies and ensure HTTPS is enforced across the application.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_CSP]: {
-        id: 122,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_CSP,
-        title: 'Header Drift - Content-Security-Policy Inconsistent',
-        description: 'Content-Security-Policy is present on some paths but missing on others, creating uneven defenses and potentially exposing unprotected routes to script injection or content loading risks.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Apply CSP consistently across relevant responses, including error and authentication pages, to avoid gaps in policy coverage.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_HSTS]: {
-        id: 123,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_HSTS,
-        title: 'Header Drift - Strict-Transport-Security Inconsistent',
-        description: 'Strict-Transport-Security is present on some paths but missing on others, reducing the effectiveness of HTTPS enforcement and creating mixed transport behavior across the site.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Ensure HSTS is set uniformly on HTTPS responses so the browser can enforce strict transport for the entire origin.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_XCONTENT_TYPE]: {
-        id: 124,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_XCONTENT_TYPE,
-        title: 'Header Drift - X-Content-Type-Options Inconsistent',
-        description: 'X-Content-Type-Options is present on some paths but missing on others, allowing inconsistent MIME sniffing behavior that could expose unprotected routes to content-type confusion.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Apply X-Content-Type-Options: nosniff across all relevant responses to avoid inconsistent browser behavior.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_REFERRER_POLICY]: {
-        id: 125,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_REFERRER_POLICY,
-        title: 'Header Drift - Referrer-Policy Inconsistent',
-        description: 'Referrer-Policy is present on some paths but missing on others, leading to inconsistent referrer leakage controls and potential exposure of sensitive URL data.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Set a consistent Referrer-Policy across responses to standardize referrer leakage controls.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_XFRAME]: {
-        id: 126,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_XFRAME,
-        title: 'Header Drift - X-Frame-Options Inconsistent',
-        description: 'X-Frame-Options or equivalent framing controls are present on some paths but missing on others, creating uneven clickjacking protection across the site.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Apply X-Frame-Options or CSP frame-ancestors consistently to avoid unprotected pages.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_PERMISSIONS_POLICY]: {
-        id: 127,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_PERMISSIONS_POLICY,
-        title: 'Header Drift - Permissions-Policy Inconsistent',
-        description: 'Permissions-Policy is present on some paths but missing on others, leading to inconsistent controls over browser features such as geolocation, camera, or microphone.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Apply Permissions-Policy consistently for pages that should restrict access to sensitive browser features.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_COOP]: {
-        id: 128,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_COOP,
-        title: 'Header Drift - COOP Inconsistent',
-        description: 'Cross-Origin-Opener-Policy is present on some paths but missing on others, which can lead to uneven cross-origin isolation guarantees and inconsistent window isolation behavior.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Apply COOP consistently where cross-origin isolation is required and validate the policy across all relevant routes.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_COEP]: {
-        id: 129,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_COEP,
-        title: 'Header Drift - COEP Inconsistent',
-        description: 'Cross-Origin-Embedder-Policy is present on some paths but missing on others, resulting in inconsistent embedding restrictions and cross-origin isolation posture.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Apply COEP consistently on routes that are intended to enforce cross-origin embedding controls.',
-    },
-    [error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_CORP]: {
-        id: 130,
-        code: error_codes_js_1.VulnerabilityCode.HEADER_DRIFT_CORP,
-        title: 'Header Drift - CORP Inconsistent',
-        description: 'Cross-Origin-Resource-Policy is present on some paths but missing on others, which can leave inconsistent controls on resource sharing and embedding across the application.',
-        severity: 'low',
-        category: 'configuration',
-        scanner: 'security-headers',
-        cvss: {
-            score: 3.1,
-            vector: 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N',
-            severity: 'LOW',
-        },
-        cwe: [
-            { id: 'CWE-693', name: 'Protection Mechanism Failure', url: 'https://cwe.mitre.org/data/definitions/693.html' },
-        ],
-        owasp: [
-            { id: 'A05:2021', name: 'Security Misconfiguration', url: 'https://owasp.org/Top10/A05_2021-Security_Misconfiguration/' },
-        ],
-        remediation: 'Apply CORP consistently where resource sharing policies should be enforced across all relevant responses.',
-    },
-};
-exports.default = exports.CONFIG_VULNERABILITIES;