circle-ir-ai 1.1.0

package/dist/agents/multi/agents/security.js

@@ -0,0 +1,830 @@
+/**
+ * Security Agents
+ *
+ * Specialized agents for detecting security vulnerabilities.
+ * These agents analyze the enriched IR for different vulnerability types.
+ */
+import { registerAgent } from '../runner.js';
+// ============================================================================
+// SQL Injection Agent
+// ============================================================================
+export const sqlInjectionAgent = {
+    id: 'security.sql-injection',
+    name: 'SQL Injection Detector',
+    description: 'Detects SQL injection vulnerabilities by analyzing taint flows to SQL sinks',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        // Get SQL-related sinks from base IR
+        const sqlSinks = ir.base.taint.sinks.filter(s => s.type === 'sql_injection');
+        const sources = ir.base.taint.sources;
+        // Check for SQL patterns in strings
+        const sqlStrings = ir.strings.filter(s => s.pattern === 'sql');
+        for (const sink of sqlSinks) {
+            // Check if there's a taint path from any source
+            const hasSourceInSameMethod = sources.some(src => src.line < sink.line && findContainingMethod(src.line, ir) === findContainingMethod(sink.line, ir));
+            if (hasSourceInSameMethod) {
+                findings.push({
+                    id: `sqli-${sink.line}`,
+                    type: 'sql-injection',
+                    message: `Potential SQL injection at line ${sink.line}. User input may flow to SQL query.`,
+                    severity: 'critical',
+                    confidence: 0.9,
+                    cwe: 'CWE-89',
+                    owasp: 'A03:2021',
+                    location: {
+                        file: ir.filePath,
+                        line: sink.line,
+                    },
+                    sink: { line: sink.line, type: sink.type },
+                    remediation: 'Use parameterized queries (PreparedStatement) instead of string concatenation.',
+                });
+            }
+        }
+        // Check for string concatenation in SQL patterns
+        for (const str of sqlStrings) {
+            if (str.context === 'argument' || str.context === 'assignment') {
+                // Check if there's a source in the same method
+                const method = str.inMethod;
+                const hasSourceInMethod = sources.some(src => findContainingMethod(src.line, ir) === method);
+                if (hasSourceInMethod && !findings.some(f => f.location.line === str.line)) {
+                    findings.push({
+                        id: `sqli-string-${str.line}`,
+                        type: 'sql-injection',
+                        message: `SQL query pattern detected at line ${str.line}. Verify parameterization.`,
+                        severity: 'high',
+                        confidence: 0.7,
+                        cwe: 'CWE-89',
+                        location: {
+                            file: ir.filePath,
+                            line: str.line,
+                            column: str.column,
+                        },
+                        remediation: 'Use parameterized queries instead of string concatenation.',
+                    });
+                }
+            }
+        }
+        return {
+            agentId: sqlInjectionAgent.id,
+            agentName: sqlInjectionAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// XSS Agent
+// ============================================================================
+export const xssAgent = {
+    id: 'security.xss',
+    name: 'XSS Detector',
+    description: 'Detects Cross-Site Scripting vulnerabilities',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        // Get XSS sinks from base IR
+        const xssSinks = ir.base.taint.sinks.filter(s => s.type === 'xss');
+        const sources = ir.base.taint.sources;
+        for (const sink of xssSinks) {
+            const hasSourceInSameMethod = sources.some(src => src.line < sink.line && findContainingMethod(src.line, ir) === findContainingMethod(sink.line, ir));
+            if (hasSourceInSameMethod) {
+                findings.push({
+                    id: `xss-${sink.line}`,
+                    type: 'xss',
+                    message: `Potential XSS vulnerability at line ${sink.line}. User input may be written to response.`,
+                    severity: 'high',
+                    confidence: 0.85,
+                    cwe: 'CWE-79',
+                    owasp: 'A03:2021',
+                    location: {
+                        file: ir.filePath,
+                        line: sink.line,
+                    },
+                    sink: { line: sink.line, type: sink.type },
+                    remediation: 'Encode output using appropriate escaping (HTML, JavaScript, URL encoding).',
+                });
+            }
+        }
+        // Check for HTML patterns in strings with sources
+        const htmlStrings = ir.strings.filter(s => s.pattern === 'html');
+        for (const str of htmlStrings) {
+            const method = str.inMethod;
+            const hasSourceInMethod = sources.some(src => findContainingMethod(src.line, ir) === method);
+            if (hasSourceInMethod) {
+                findings.push({
+                    id: `xss-html-${str.line}`,
+                    type: 'xss',
+                    message: `HTML content generation at line ${str.line}. Verify proper encoding.`,
+                    severity: 'medium',
+                    confidence: 0.6,
+                    cwe: 'CWE-79',
+                    location: {
+                        file: ir.filePath,
+                        line: str.line,
+                    },
+                    remediation: 'Use a templating engine with automatic HTML escaping.',
+                });
+            }
+        }
+        return {
+            agentId: xssAgent.id,
+            agentName: xssAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// Command Injection Agent
+// ============================================================================
+export const commandInjectionAgent = {
+    id: 'security.command-injection',
+    name: 'Command Injection Detector',
+    description: 'Detects OS command injection vulnerabilities',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        // Get command injection sinks from base IR
+        const cmdSinks = ir.base.taint.sinks.filter(s => s.type === 'command_injection');
+        const sources = ir.base.taint.sources;
+        for (const sink of cmdSinks) {
+            const hasSourceInSameMethod = sources.some(src => src.line < sink.line && findContainingMethod(src.line, ir) === findContainingMethod(sink.line, ir));
+            if (hasSourceInSameMethod) {
+                findings.push({
+                    id: `cmd-${sink.line}`,
+                    type: 'command-injection',
+                    message: `Potential command injection at line ${sink.line}. User input may flow to system command.`,
+                    severity: 'critical',
+                    confidence: 0.9,
+                    cwe: 'CWE-78',
+                    owasp: 'A03:2021',
+                    location: {
+                        file: ir.filePath,
+                        line: sink.line,
+                    },
+                    sink: { line: sink.line, type: sink.type },
+                    remediation: 'Avoid shell commands with user input. Use allowlists and ProcessBuilder with array arguments.',
+                });
+            }
+        }
+        return {
+            agentId: commandInjectionAgent.id,
+            agentName: commandInjectionAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// Path Traversal Agent
+// ============================================================================
+export const pathTraversalAgent = {
+    id: 'security.path-traversal',
+    name: 'Path Traversal Detector',
+    description: 'Detects path traversal/directory traversal vulnerabilities',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        // Get path traversal sinks from base IR
+        const pathSinks = ir.base.taint.sinks.filter(s => s.type === 'path_traversal');
+        const sources = ir.base.taint.sources;
+        for (const sink of pathSinks) {
+            const hasSourceInSameMethod = sources.some(src => src.line < sink.line && findContainingMethod(src.line, ir) === findContainingMethod(sink.line, ir));
+            if (hasSourceInSameMethod) {
+                findings.push({
+                    id: `path-${sink.line}`,
+                    type: 'path-traversal',
+                    message: `Potential path traversal at line ${sink.line}. User input may control file path.`,
+                    severity: 'high',
+                    confidence: 0.85,
+                    cwe: 'CWE-22',
+                    owasp: 'A01:2021',
+                    location: {
+                        file: ir.filePath,
+                        line: sink.line,
+                    },
+                    sink: { line: sink.line, type: sink.type },
+                    remediation: 'Validate and canonicalize paths. Use allowlists for allowed directories.',
+                });
+            }
+        }
+        // Check for path patterns in strings
+        const pathStrings = ir.strings.filter(s => s.pattern === 'path');
+        for (const str of pathStrings) {
+            if (str.value.includes('..')) {
+                findings.push({
+                    id: `path-pattern-${str.line}`,
+                    type: 'path-traversal',
+                    message: `Path pattern with ".." detected at line ${str.line}. Review for traversal issues.`,
+                    severity: 'medium',
+                    confidence: 0.5,
+                    cwe: 'CWE-22',
+                    location: {
+                        file: ir.filePath,
+                        line: str.line,
+                    },
+                    remediation: 'Avoid using ".." in path construction. Canonicalize and validate paths.',
+                });
+            }
+        }
+        return {
+            agentId: pathTraversalAgent.id,
+            agentName: pathTraversalAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// Deserialization Agent
+// ============================================================================
+export const deserializationAgent = {
+    id: 'security.deserialization',
+    name: 'Insecure Deserialization Detector',
+    description: 'Detects insecure deserialization vulnerabilities',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        const deserSinks = ir.base.taint.sinks.filter(s => s.type === 'deserialization');
+        const sources = ir.base.taint.sources;
+        for (const sink of deserSinks) {
+            const hasSourceInSameMethod = sources.some(src => src.line < sink.line && findContainingMethod(src.line, ir) === findContainingMethod(sink.line, ir));
+            if (hasSourceInSameMethod) {
+                findings.push({
+                    id: `deser-${sink.line}`,
+                    type: 'insecure-deserialization',
+                    message: `Insecure deserialization at line ${sink.line}. User input may control deserialized object.`,
+                    severity: 'critical',
+                    confidence: 0.9,
+                    cwe: 'CWE-502',
+                    owasp: 'A08:2021',
+                    location: {
+                        file: ir.filePath,
+                        line: sink.line,
+                    },
+                    sink: { line: sink.line, type: sink.type },
+                    remediation: 'Avoid deserializing untrusted data. Use allowlists for allowed classes or safer formats like JSON.',
+                });
+            }
+        }
+        // Check for dangerous deserialization patterns in calls
+        for (const call of ir.base.calls || []) {
+            if (/readObject|readUnshared|XMLDecoder/.test(call.method_name)) {
+                if (!findings.some(f => f.location.line === call.location.line)) {
+                    findings.push({
+                        id: `deser-call-${call.location.line}`,
+                        type: 'insecure-deserialization',
+                        message: `Potentially dangerous deserialization call: ${call.method_name} at line ${call.location.line}.`,
+                        severity: 'high',
+                        confidence: 0.7,
+                        cwe: 'CWE-502',
+                        location: {
+                            file: ir.filePath,
+                            line: call.location.line,
+                        },
+                        remediation: 'Review deserialization usage. Consider using ObjectInputFilter or safer alternatives.',
+                    });
+                }
+            }
+        }
+        return {
+            agentId: deserializationAgent.id,
+            agentName: deserializationAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// XXE Agent
+// ============================================================================
+export const xxeAgent = {
+    id: 'security.xxe',
+    name: 'XXE Detector',
+    description: 'Detects XML External Entity (XXE) vulnerabilities',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        const xxeSinks = ir.base.taint.sinks.filter(s => s.type === 'xxe');
+        const sources = ir.base.taint.sources;
+        for (const sink of xxeSinks) {
+            const hasSourceInSameMethod = sources.some(src => src.line < sink.line && findContainingMethod(src.line, ir) === findContainingMethod(sink.line, ir));
+            if (hasSourceInSameMethod) {
+                findings.push({
+                    id: `xxe-${sink.line}`,
+                    type: 'xxe',
+                    message: `Potential XXE vulnerability at line ${sink.line}. XML parser may process external entities.`,
+                    severity: 'high',
+                    confidence: 0.85,
+                    cwe: 'CWE-611',
+                    owasp: 'A05:2021',
+                    location: {
+                        file: ir.filePath,
+                        line: sink.line,
+                    },
+                    sink: { line: sink.line, type: sink.type },
+                    remediation: 'Disable external entity processing: setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)',
+                });
+            }
+        }
+        // Check for XML parser creation without security configuration
+        for (const call of ir.base.calls || []) {
+            if (/DocumentBuilderFactory|SAXParserFactory|XMLInputFactory/.test(call.receiver || '')) {
+                if (call.method_name === 'newInstance') {
+                    findings.push({
+                        id: `xxe-factory-${call.location.line}`,
+                        type: 'xxe',
+                        message: `XML parser created at line ${call.location.line}. Verify XXE protections are enabled.`,
+                        severity: 'medium',
+                        confidence: 0.6,
+                        cwe: 'CWE-611',
+                        location: {
+                            file: ir.filePath,
+                            line: call.location.line,
+                        },
+                        remediation: 'Configure parser to disable DTDs and external entities before use.',
+                    });
+                }
+            }
+        }
+        return {
+            agentId: xxeAgent.id,
+            agentName: xxeAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// LDAP Injection Agent
+// ============================================================================
+export const ldapInjectionAgent = {
+    id: 'security.ldap-injection',
+    name: 'LDAP Injection Detector',
+    description: 'Detects LDAP injection vulnerabilities',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        const ldapSinks = ir.base.taint.sinks.filter(s => s.type === 'ldap_injection');
+        const sources = ir.base.taint.sources;
+        for (const sink of ldapSinks) {
+            const hasSourceInSameMethod = sources.some(src => src.line < sink.line && findContainingMethod(src.line, ir) === findContainingMethod(sink.line, ir));
+            if (hasSourceInSameMethod) {
+                findings.push({
+                    id: `ldap-${sink.line}`,
+                    type: 'ldap-injection',
+                    message: `Potential LDAP injection at line ${sink.line}. User input may flow to LDAP query.`,
+                    severity: 'high',
+                    confidence: 0.85,
+                    cwe: 'CWE-90',
+                    owasp: 'A03:2021',
+                    location: {
+                        file: ir.filePath,
+                        line: sink.line,
+                    },
+                    sink: { line: sink.line, type: sink.type },
+                    remediation: 'Escape special LDAP characters or use parameterized LDAP queries.',
+                });
+            }
+        }
+        return {
+            agentId: ldapInjectionAgent.id,
+            agentName: ldapInjectionAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// XPath Injection Agent
+// ============================================================================
+export const xpathInjectionAgent = {
+    id: 'security.xpath-injection',
+    name: 'XPath Injection Detector',
+    description: 'Detects XPath injection vulnerabilities',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        const xpathSinks = ir.base.taint.sinks.filter(s => s.type === 'xpath_injection');
+        const sources = ir.base.taint.sources;
+        for (const sink of xpathSinks) {
+            const hasSourceInSameMethod = sources.some(src => src.line < sink.line && findContainingMethod(src.line, ir) === findContainingMethod(sink.line, ir));
+            if (hasSourceInSameMethod) {
+                findings.push({
+                    id: `xpath-${sink.line}`,
+                    type: 'xpath-injection',
+                    message: `Potential XPath injection at line ${sink.line}. User input may flow to XPath query.`,
+                    severity: 'high',
+                    confidence: 0.85,
+                    cwe: 'CWE-643',
+                    owasp: 'A03:2021',
+                    location: {
+                        file: ir.filePath,
+                        line: sink.line,
+                    },
+                    sink: { line: sink.line, type: sink.type },
+                    remediation: 'Use parameterized XPath queries or escape special characters.',
+                });
+            }
+        }
+        return {
+            agentId: xpathInjectionAgent.id,
+            agentName: xpathInjectionAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// SSRF Agent
+// ============================================================================
+export const ssrfAgent = {
+    id: 'security.ssrf',
+    name: 'SSRF Detector',
+    description: 'Detects Server-Side Request Forgery vulnerabilities',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        const ssrfSinks = ir.base.taint.sinks.filter(s => s.type === 'ssrf');
+        const sources = ir.base.taint.sources;
+        for (const sink of ssrfSinks) {
+            const hasSourceInSameMethod = sources.some(src => src.line < sink.line && findContainingMethod(src.line, ir) === findContainingMethod(sink.line, ir));
+            if (hasSourceInSameMethod) {
+                findings.push({
+                    id: `ssrf-${sink.line}`,
+                    type: 'ssrf',
+                    message: `Potential SSRF at line ${sink.line}. User input may control outbound request URL.`,
+                    severity: 'high',
+                    confidence: 0.85,
+                    cwe: 'CWE-918',
+                    owasp: 'A10:2021',
+                    location: {
+                        file: ir.filePath,
+                        line: sink.line,
+                    },
+                    sink: { line: sink.line, type: sink.type },
+                    remediation: 'Validate and allowlist destination URLs. Block internal/private IP ranges.',
+                });
+            }
+        }
+        // Check for URL patterns in strings with sources
+        const urlStrings = ir.strings.filter(s => s.pattern === 'url');
+        for (const str of urlStrings) {
+            const method = str.inMethod;
+            const hasSourceInMethod = sources.some(src => findContainingMethod(src.line, ir) === method);
+            if (hasSourceInMethod && str.context === 'argument') {
+                findings.push({
+                    id: `ssrf-url-${str.line}`,
+                    type: 'ssrf',
+                    message: `URL construction at line ${str.line} in method with user input. Verify SSRF protections.`,
+                    severity: 'medium',
+                    confidence: 0.6,
+                    cwe: 'CWE-918',
+                    location: {
+                        file: ir.filePath,
+                        line: str.line,
+                    },
+                    remediation: 'Validate URLs against an allowlist of permitted hosts.',
+                });
+            }
+        }
+        return {
+            agentId: ssrfAgent.id,
+            agentName: ssrfAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// Code Injection Agent
+// ============================================================================
+export const codeInjectionAgent = {
+    id: 'security.code-injection',
+    name: 'Code Injection Detector',
+    description: 'Detects code injection and expression language injection vulnerabilities',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        const codeSinks = ir.base.taint.sinks.filter(s => s.type === 'code_injection');
+        const sources = ir.base.taint.sources;
+        for (const sink of codeSinks) {
+            const hasSourceInSameMethod = sources.some(src => src.line < sink.line && findContainingMethod(src.line, ir) === findContainingMethod(sink.line, ir));
+            if (hasSourceInSameMethod) {
+                findings.push({
+                    id: `code-${sink.line}`,
+                    type: 'code-injection',
+                    message: `Potential code injection at line ${sink.line}. User input may be executed as code.`,
+                    severity: 'critical',
+                    confidence: 0.9,
+                    cwe: 'CWE-94',
+                    owasp: 'A03:2021',
+                    location: {
+                        file: ir.filePath,
+                        line: sink.line,
+                    },
+                    sink: { line: sink.line, type: sink.type },
+                    remediation: 'Avoid dynamic code execution with user input. Use sandboxing if necessary.',
+                });
+            }
+        }
+        // Check for dangerous method calls
+        for (const call of ir.base.calls || []) {
+            if (/eval|ScriptEngine\.eval|GroovyShell\.evaluate|SpEL/.test(call.method_name)) {
+                findings.push({
+                    id: `code-eval-${call.location.line}`,
+                    type: 'code-injection',
+                    message: `Dynamic code execution at line ${call.location.line}: ${call.method_name}`,
+                    severity: 'high',
+                    confidence: 0.8,
+                    cwe: 'CWE-94',
+                    location: {
+                        file: ir.filePath,
+                        line: call.location.line,
+                    },
+                    remediation: 'Review dynamic code execution. Ensure user input cannot reach this call.',
+                });
+            }
+        }
+        return {
+            agentId: codeInjectionAgent.id,
+            agentName: codeInjectionAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// Hardcoded Secrets Agent
+// ============================================================================
+export const hardcodedSecretsAgent = {
+    id: 'security.hardcoded-secrets',
+    name: 'Hardcoded Secrets Detector',
+    description: 'Detects hardcoded passwords, API keys, and other secrets',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        // Patterns for detecting secrets
+        const secretPatterns = [
+            { pattern: /password\s*=\s*["'][^"']+["']/i, type: 'hardcoded-password', severity: 'high' },
+            { pattern: /api[_-]?key\s*=\s*["'][^"']+["']/i, type: 'hardcoded-api-key', severity: 'high' },
+            { pattern: /secret\s*=\s*["'][^"']+["']/i, type: 'hardcoded-secret', severity: 'high' },
+            { pattern: /token\s*=\s*["'][A-Za-z0-9_\-]{20,}["']/i, type: 'hardcoded-token', severity: 'high' },
+            { pattern: /private[_-]?key/i, type: 'hardcoded-private-key', severity: 'critical' },
+            { pattern: /-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----/, type: 'embedded-private-key', severity: 'critical' },
+            { pattern: /aws[_-]?(access[_-]?key|secret)/i, type: 'aws-credentials', severity: 'critical' },
+        ];
+        // Check strings for secret patterns
+        for (const str of ir.strings) {
+            for (const { pattern, type, severity } of secretPatterns) {
+                if (pattern.test(str.raw) || pattern.test(str.value)) {
+                    findings.push({
+                        id: `secret-${type}-${str.line}`,
+                        type,
+                        message: `Potential ${type.replace(/-/g, ' ')} detected at line ${str.line}.`,
+                        severity,
+                        confidence: 0.8,
+                        cwe: 'CWE-798',
+                        owasp: 'A07:2021',
+                        location: {
+                            file: ir.filePath,
+                            line: str.line,
+                            column: str.column,
+                        },
+                        remediation: 'Move secrets to environment variables or a secrets manager.',
+                    });
+                    break; // Only one finding per string
+                }
+            }
+        }
+        // Note: Field-level checks skipped - FieldInfo doesn't include line numbers.
+        // The string literal checks above catch most hardcoded secrets.
+        return {
+            agentId: hardcodedSecretsAgent.id,
+            agentName: hardcodedSecretsAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// Insecure Crypto Agent
+// ============================================================================
+export const insecureCryptoAgent = {
+    id: 'security.insecure-crypto',
+    name: 'Insecure Cryptography Detector',
+    description: 'Detects use of weak or broken cryptographic algorithms',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        // Weak algorithms to detect
+        const weakAlgorithms = [
+            { pattern: /MD5|md5/, name: 'MD5', cwe: 'CWE-328' },
+            { pattern: /SHA-?1(?![0-9])|sha1/i, name: 'SHA-1', cwe: 'CWE-328' },
+            { pattern: /DES(?!ede)|des(?!ede)/i, name: 'DES', cwe: 'CWE-327' },
+            { pattern: /RC4|rc4|ARCFOUR/i, name: 'RC4', cwe: 'CWE-327' },
+            { pattern: /Blowfish/i, name: 'Blowfish', cwe: 'CWE-327' },
+            { pattern: /ECB/, name: 'ECB mode', cwe: 'CWE-327' },
+        ];
+        // Check strings for weak algorithm references
+        for (const str of ir.strings) {
+            for (const { pattern, name, cwe } of weakAlgorithms) {
+                if (pattern.test(str.value)) {
+                    findings.push({
+                        id: `crypto-weak-${str.line}`,
+                        type: 'weak-cryptography',
+                        message: `Weak cryptographic algorithm "${name}" used at line ${str.line}.`,
+                        severity: 'medium',
+                        confidence: 0.85,
+                        cwe,
+                        owasp: 'A02:2021',
+                        location: {
+                            file: ir.filePath,
+                            line: str.line,
+                        },
+                        remediation: `Replace ${name} with a stronger algorithm (e.g., SHA-256, AES-GCM).`,
+                    });
+                    break;
+                }
+            }
+        }
+        // Check for insecure random
+        for (const call of ir.base.calls || []) {
+            if (call.receiver === 'Random' || call.method_name === 'Random') {
+                findings.push({
+                    id: `crypto-random-${call.location.line}`,
+                    type: 'insecure-random',
+                    message: `java.util.Random used at line ${call.location.line}. Not cryptographically secure.`,
+                    severity: 'medium',
+                    confidence: 0.7,
+                    cwe: 'CWE-330',
+                    location: {
+                        file: ir.filePath,
+                        line: call.location.line,
+                    },
+                    remediation: 'Use SecureRandom for security-sensitive randomness.',
+                });
+            }
+        }
+        return {
+            agentId: insecureCryptoAgent.id,
+            agentName: insecureCryptoAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// Endpoint Security Agent
+// ============================================================================
+export const endpointSecurityAgent = {
+    id: 'security.endpoint',
+    name: 'Endpoint Security Analyzer',
+    description: 'Analyzes API endpoints for security issues',
+    category: 'security',
+    async analyze(ir, options) {
+        const findings = [];
+        const startTime = Date.now();
+        for (const endpoint of ir.endpoints) {
+            // Check for endpoints without authentication annotations
+            const handlerType = ir.base.types.find(t => t.name === endpoint.handlerClass);
+            if (handlerType) {
+                const method = handlerType.methods?.find(m => m.name === endpoint.handlerMethod);
+                const annotations = [...(handlerType.annotations || []), ...(method?.annotations || [])];
+                const hasAuthAnnotation = annotations.some(a => /PreAuthorize|Secured|RolesAllowed|RequiresAuthentication/.test(a));
+                if (!hasAuthAnnotation) {
+                    findings.push({
+                        id: `endpoint-noauth-${endpoint.line}`,
+                        type: 'missing-authentication',
+                        message: `Endpoint ${endpoint.method} ${endpoint.path} may lack authentication.`,
+                        severity: 'medium',
+                        confidence: 0.7,
+                        cwe: 'CWE-306',
+                        owasp: 'A07:2021',
+                        location: {
+                            file: ir.filePath,
+                            line: endpoint.line,
+                        },
+                        metadata: {
+                            endpoint: `${endpoint.method} ${endpoint.path}`,
+                            handler: `${endpoint.handlerClass}.${endpoint.handlerMethod}`,
+                        },
+                        remediation: 'Add authentication annotation like @PreAuthorize or @Secured.',
+                    });
+                }
+            }
+            // Check for endpoints accepting arbitrary input
+            const hasUnvalidatedInput = endpoint.params.some(p => !p.type.includes('Valid') && (p.type === 'String' || p.type === 'Object'));
+            if (hasUnvalidatedInput) {
+                findings.push({
+                    id: `endpoint-validation-${endpoint.line}`,
+                    type: 'missing-validation',
+                    message: `Endpoint ${endpoint.method} ${endpoint.path} has unvalidated String/Object parameters.`,
+                    severity: 'low',
+                    confidence: 0.6,
+                    cwe: 'CWE-20',
+                    location: {
+                        file: ir.filePath,
+                        line: endpoint.line,
+                    },
+                    metadata: {
+                        endpoint: `${endpoint.method} ${endpoint.path}`,
+                        params: endpoint.params.map(p => p.name),
+                    },
+                    remediation: 'Add @Valid annotation and define validation constraints on DTOs.',
+                });
+            }
+        }
+        return {
+            agentId: endpointSecurityAgent.id,
+            agentName: endpointSecurityAgent.name,
+            category: 'security',
+            success: true,
+            findings,
+            processingTimeMs: Date.now() - startTime,
+        };
+    },
+};
+// ============================================================================
+// Helper Functions
+// ============================================================================
+/**
+ * Find the method containing a given line.
+ */
+function findContainingMethod(lineNum, ir) {
+    for (const type of ir.base.types) {
+        for (const method of type.methods || []) {
+            if (lineNum >= method.start_line && lineNum <= method.end_line) {
+                return `${type.name}.${method.name}`;
+            }
+        }
+    }
+    return undefined;
+}
+// ============================================================================
+// Registration
+// ============================================================================
+/**
+ * All security agents.
+ */
+export const securityAgents = [
+    sqlInjectionAgent,
+    xssAgent,
+    commandInjectionAgent,
+    pathTraversalAgent,
+    deserializationAgent,
+    xxeAgent,
+    ldapInjectionAgent,
+    xpathInjectionAgent,
+    ssrfAgent,
+    codeInjectionAgent,
+    hardcodedSecretsAgent,
+    insecureCryptoAgent,
+    endpointSecurityAgent,
+];
+/**
+ * Register all security agents with the runner.
+ */
+export function registerSecurityAgents() {
+    for (const agent of securityAgents) {
+        registerAgent(agent);
+    }
+}
+//# sourceMappingURL=security.js.map