codeslick-cli 1.0.0

package/dist/src/lib/analyzers/java/security-checks/logging-failures.js

@@ -0,0 +1,89 @@
+"use strict";
+/**
+ * Java Logging Failures Security Checks
+ * OWASP A09:2025 - Security Logging and Monitoring Failures
+ *
+ * Detects logging security failures in Java applications.
+ * Updated for OWASP 2025 with security logging patterns (Phase 7B Day 9).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkLoggingFailures = checkLoggingFailures;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for logging security vulnerabilities in Java code
+ *
+ * Covers:
+ * - Check #1: Missing security event logging (MEDIUM)
+ * - Check #2: System.out.println in production (LOW)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkLoggingFailures(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const trimmedLine = line.trim();
+        // CRITICAL: Track multi-line comment blocks (/* ... */)
+        if (trimmedLine.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmedLine.includes('*/')) {
+            inMultiLineComment = false;
+            return; // Skip the line with */
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        if (!trimmedLine ||
+            inMultiLineComment ||
+            trimmedLine.startsWith('//')) {
+            return;
+        }
+        const lowerLine = trimmedLine.toLowerCase();
+        // Check #1: Missing security event logging
+        // Look for security-sensitive operations without logging
+        const securityKeywords = [
+            'login', 'authenticate', 'authorization', 'accessdenied',
+            'deleteuser', 'deleteaccount', 'resetpassword', 'changepassword'
+        ];
+        const hasSecurityOperation = securityKeywords.some(keyword => lowerLine.includes(keyword));
+        if (hasSecurityOperation) {
+            // Check if it's a method declaration
+            const isMethodDeclaration = lowerLine.match(/^(public|private|protected)\s+\w+\s+\w+\s*\(/);
+            if (isMethodDeclaration) {
+                // Look for logging in the next 10 lines (method body)
+                const nextLines = lines.slice(index + 1, Math.min(index + 11, lines.length));
+                const hasLogging = nextLines.some(nextLine => {
+                    const lowerNext = nextLine.toLowerCase();
+                    return lowerNext.includes('logger.') ||
+                        lowerNext.includes('log.info') ||
+                        lowerNext.includes('log.warn') ||
+                        lowerNext.includes('log.error') ||
+                        lowerNext.includes('log.debug');
+                });
+                if (!hasLogging) {
+                    vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('missing-security-logging', 'security event missing audit logging', 'Add logger statements for security events (authentication, authorization, access control)', index + 1, 'Missing security event logging prevents detection of attacks, makes incident response impossible, and violates compliance requirements (PCI-DSS, HIPAA, SOC 2)', 'public void login(String user, String pass) {\n  authenticate(user, pass); // No logging!\n}', [
+                        'Cannot detect ongoing attacks or breaches',
+                        'No audit trail for compliance (PCI-DSS 10.2)',
+                        'Incident response and forensics impossible',
+                        'Cannot identify compromised accounts',
+                        'Violations go undetected'
+                    ], 'public void login(String username, String password) {\n  User user = authenticate(username, password);\n}', 'public void login(String username, String password) {\n  logger.info("Login attempt for user: {}", username);\n  User user = authenticate(username, password);\n  logger.info("Successful login for user: {}", username);\n}', 'Always log security events: authentication, authorization failures, access control violations, data modifications'));
+                }
+            }
+        }
+        // Check #2: System.out.println / System.err.println in production
+        if (lowerLine.includes('system.out.println') ||
+            lowerLine.includes('system.err.println') ||
+            lowerLine.includes('.printstacktrace()')) {
+            vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('system-out-println', 'System.out/err.println detected - use proper logging framework', 'Replace with SLF4J logger (logger.info, logger.error)', index + 1, 'System.out.println writes to stdout which is not captured by logging systems, cannot be configured, filtered, or monitored. Production systems need centralized logging for monitoring and alerting', 'System.out.println("Processing order: " + orderId); // Lost in production!', [
+                'No centralized logging or monitoring',
+                'Cannot be filtered by severity or category',
+                'No log rotation or retention policies',
+                'Performance impact (synchronous, blocking I/O)',
+                'Violates 12-factor app principles'
+            ], 'System.out.println("User logged in: " + username);', 'logger.info("User logged in: {}", username);', 'Use SLF4J or similar logging frameworks that support log levels, filtering, rotation, and centralized aggregation'));
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=logging-failures.js.map

package/dist/src/lib/analyzers/java/security-checks/logging-failures.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logging-failures.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/logging-failures.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAeH,oDA4GC;AAxHD,sEAA+E;AAE/E;;;;;;;;;GASG;AACH,SAAgB,oBAAoB,CAClC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,wDAAwD;QACxD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,2CAA2C;QAC3C,yDAAyD;QACzD,MAAM,gBAAgB,GAAG;YACvB,OAAO,EAAE,cAAc,EAAE,eAAe,EAAE,cAAc;YACxD,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,gBAAgB;SACjE,CAAC;QAEF,MAAM,oBAAoB,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAC3D,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC5B,CAAC;QAEF,IAAI,oBAAoB,EAAE,CAAC;YACzB,qCAAqC;YACrC,MAAM,mBAAmB,GAAG,SAAS,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;YAE5F,IAAI,mBAAmB,EAAE,CAAC;gBACxB,sDAAsD;gBACtD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;gBAC7E,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;oBAC3C,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;oBACzC,OAAO,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;wBAC7B,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;wBAC9B,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;wBAC9B,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;wBAC/B,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;gBACzC,CAAC,CAAC,CAAC;gBAEH,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,0BAA0B,EAC1B,sCAAsC,EACtC,2FAA2F,EAC3F,KAAK,GAAG,CAAC,EACT,gKAAgK,EAChK,8FAA8F,EAC9F;wBACE,2CAA2C;wBAC3C,8CAA8C;wBAC9C,4CAA4C;wBAC5C,sCAAsC;wBACtC,0BAA0B;qBAC3B,EACD,2GAA2G,EAC3G,8NAA8N,EAC9N,mHAAmH,CACpH,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,kEAAkE;QAClE,IAAI,SAAS,CAAC,QAAQ,CAAC,oBAAoB,CAAC;YACxC,SAAS,CAAC,QAAQ,CAAC,oBAAoB,CAAC;YACxC,SAAS,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC7C,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,oBAAoB,EACpB,gEAAgE,EAChE,uDAAuD,EACvD,KAAK,GAAG,CAAC,EACT,qMAAqM,EACrM,4EAA4E,EAC5E;gBACE,sCAAsC;gBACtC,4CAA4C;gBAC5C,uCAAuC;gBACvC,gDAAgD;gBAChD,mCAAmC;aACpC,EACD,oDAAoD,EACpD,8CAA8C,EAC9C,mHAAmH,CACpH,CACF,CAAC;QACJ,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Java Security Misconfiguration Checks
+ * OWASP A02:2025 - Security Misconfiguration
+ *
+ * Detects security misconfigurations that moved from #5 to #2 in OWASP 2025.
+ * Focus: Spring Security configs, logging levels, default settings, etc.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for security misconfiguration vulnerabilities in Java code
+ *
+ * Covers:
+ * - Check #1: Spring Security disabled (HIGH)
+ * - Check #2: Debug logging enabled (MEDIUM)
+ * - Check #3: Default admin credentials (CRITICAL)
+ * - Check #4: Insecure random for security tokens (MEDIUM)
+ * - Check #5: Weak SSL/TLS configuration (HIGH)
+ * - Check #6: Exposed management endpoints (HIGH)
+ * - Check #7: Error details in exceptions (MEDIUM)
+ * - Check #8: Insecure deserialization settings (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkSecurityMisconfiguration(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=security-misconfiguration.d.ts.map

package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-misconfiguration.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/security-misconfiguration.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,6BAA6B,CAC3C,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CA2TzB"}

package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js

@@ -0,0 +1,309 @@
+"use strict";
+/**
+ * Java Security Misconfiguration Checks
+ * OWASP A02:2025 - Security Misconfiguration
+ *
+ * Detects security misconfigurations that moved from #5 to #2 in OWASP 2025.
+ * Focus: Spring Security configs, logging levels, default settings, etc.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkSecurityMisconfiguration = checkSecurityMisconfiguration;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for security misconfiguration vulnerabilities in Java code
+ *
+ * Covers:
+ * - Check #1: Spring Security disabled (HIGH)
+ * - Check #2: Debug logging enabled (MEDIUM)
+ * - Check #3: Default admin credentials (CRITICAL)
+ * - Check #4: Insecure random for security tokens (MEDIUM)
+ * - Check #5: Weak SSL/TLS configuration (HIGH)
+ * - Check #6: Exposed management endpoints (HIGH)
+ * - Check #7: Error details in exceptions (MEDIUM)
+ * - Check #8: Insecure deserialization settings (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkSecurityMisconfiguration(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const trimmedLine = line.trim();
+        // CRITICAL: Track multi-line comment blocks (/* ... */)
+        if (trimmedLine.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmedLine.includes('*/')) {
+            inMultiLineComment = false;
+            return; // Skip the line with */
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        // FIX (Dec 6, 2025): Removed trimmedLine.startsWith('*') check
+        // Reason: Lines in multi-line comments can start with '-', text, etc. (not just '*')
+        // Example: "- Default credentials: String password = \"admin\"" in documentation was being detected
+        // Solution: Rely on inMultiLineComment flag only
+        if (!trimmedLine ||
+            inMultiLineComment ||
+            trimmedLine.startsWith('//')) {
+            return;
+        }
+        const lowerLine = trimmedLine.toLowerCase();
+        // Check #1: Spring Security disabled or misconfigured
+        if ((lowerLine.includes('@enablewebsecurity') && lowerLine.includes('false')) ||
+            (lowerLine.includes('security') && lowerLine.includes('disable')) ||
+            lowerLine.includes('permitall()')) {
+            vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)({
+                category: 'Security Misconfiguration',
+                severity: 'HIGH',
+                confidence: 'HIGH',
+                message: 'Spring Security may be disabled or misconfigured',
+                line: index + 1,
+                suggestion: 'Review security configuration and ensure proper authentication/authorization',
+                owasp: 'A02:2025',
+                cwe: 'CWE-16',
+                pciDss: 'Requirement 7.1',
+                remediation: {
+                    explanation: 'Disabling security controls exposes application to unauthorized access',
+                    before: 'http.authorizeRequests().anyRequest().permitAll()',
+                    after: 'http.authorizeRequests().anyRequest().authenticated()'
+                },
+                attackVector: {
+                    description: 'Disabled security controls allow unauthorized access to protected resources',
+                    realWorldImpact: [
+                        'Complete bypass of authentication mechanisms',
+                        'Unauthorized access to sensitive endpoints',
+                        'Administrative function exposure',
+                        'Data access without authorization'
+                    ]
+                }
+            }));
+        }
+        // Check #2: Debug logging enabled in production
+        if ((lowerLine.includes('logger.setlevel') && lowerLine.includes('debug')) ||
+            (lowerLine.includes('log4j') && lowerLine.includes('debug')) ||
+            (lowerLine.includes('logging.level') && lowerLine.includes('debug'))) {
+            vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)({
+                category: 'Security Misconfiguration',
+                severity: 'MEDIUM',
+                confidence: 'MEDIUM',
+                message: 'Debug logging may be enabled in production environment',
+                line: index + 1,
+                suggestion: 'Use INFO or WARN level logging in production environments',
+                owasp: 'A02:2025',
+                cwe: 'CWE-489',
+                pciDss: 'Requirement 6.1',
+                remediation: {
+                    explanation: 'Debug logging can expose sensitive information and impact performance',
+                    before: 'logger.setLevel(Level.DEBUG)',
+                    after: 'logger.setLevel(Level.INFO) // or use configuration files'
+                },
+                attackVector: {
+                    description: 'Debug logs may contain sensitive data, stack traces, and system internals',
+                    realWorldImpact: [
+                        'Sensitive data exposure in log files',
+                        'System architecture revelation',
+                        'Performance degradation',
+                        'Storage space exhaustion'
+                    ]
+                }
+            }));
+        }
+        // Check #3: Default admin credentials
+        if ((lowerLine.includes('username') &&
+            (lowerLine.includes('"admin"') || lowerLine.includes("'admin'"))) ||
+            (lowerLine.includes('password') &&
+                (lowerLine.includes('"admin"') || lowerLine.includes("'admin'") ||
+                    lowerLine.includes('"password"') || lowerLine.includes("'password'")))) {
+            vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)({
+                category: 'Security Misconfiguration',
+                severity: 'CRITICAL',
+                confidence: 'HIGH',
+                message: 'Default admin credentials detected in configuration',
+                line: index + 1,
+                suggestion: 'Use strong, unique credentials stored in secure configuration',
+                owasp: 'A02:2025',
+                cwe: 'CWE-798',
+                pciDss: 'Requirement 2.1',
+                remediation: {
+                    explanation: 'Default credentials are well-known and provide immediate unauthorized access',
+                    before: 'String password = "admin";',
+                    after: 'String password = System.getenv("ADMIN_PASSWORD");'
+                },
+                attackVector: {
+                    description: 'Default credentials are publicly known and easily exploited',
+                    realWorldImpact: [
+                        'Immediate administrative access',
+                        'Complete system compromise',
+                        'Data theft and manipulation',
+                        'Privilege escalation opportunities'
+                    ]
+                }
+            }));
+        }
+        // Check #4: Insecure random for security tokens
+        // FIX (Dec 6, 2025): Added method context detection (not just same-line keywords)
+        // Example missed: public String generateSecurityToken() { return String.valueOf(Math.random()); }
+        // Now checks previous 5 lines for security method names
+        if (lowerLine.includes('math.random()')) {
+            const hasSameLineKeyword = lowerLine.includes('token') || lowerLine.includes('session') ||
+                lowerLine.includes('password') || lowerLine.includes('secret');
+            // Check previous 5 lines for security method context
+            const prevLines = lines.slice(Math.max(0, index - 5), index);
+            const hasContextKeyword = prevLines.some(l => l.toLowerCase().match(/password|token|key|secret|salt|nonce|session|auth|security/i) ||
+                l.match(/(public|private|protected)\s+\w+\s+(generate|create)(Token|Key|Password|Secret|Session|Auth|Security)/i));
+            if (hasSameLineKeyword || hasContextKeyword) {
+                vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)({
+                    category: 'Security Misconfiguration',
+                    severity: 'MEDIUM',
+                    confidence: 'HIGH',
+                    message: 'Insecure random number generator used for security-sensitive operations',
+                    line: index + 1,
+                    suggestion: 'Use SecureRandom for cryptographically secure random numbers',
+                    owasp: 'A02:2025',
+                    cwe: 'CWE-338',
+                    pciDss: 'Requirement 3.4',
+                    remediation: {
+                        explanation: 'Math.random() is predictable and unsuitable for security tokens',
+                        before: 'String token = String.valueOf(Math.random());',
+                        after: 'SecureRandom sr = new SecureRandom();\nString token = new BigInteger(130, sr).toString(32);'
+                    },
+                    attackVector: {
+                        description: 'Predictable tokens enable session hijacking and security bypass',
+                        realWorldImpact: [
+                            'Session token prediction',
+                            'Authentication bypass',
+                            'CSRF token guessing',
+                            'Password reset token compromise'
+                        ]
+                    }
+                }));
+            }
+        }
+        // Check #5: Weak SSL/TLS configuration
+        // FIX (Dec 6, 2025): Added setDefaultHostnameVerifier detection with lambda pattern
+        // Example missed: HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true);
+        // Now detects: setDefaultHostnameVerifier + lambda returning true
+        if ((lowerLine.includes('sslcontext') && lowerLine.includes('ssl')) ||
+            (lowerLine.includes('trustallcerts') || lowerLine.includes('trust_all')) ||
+            (lowerLine.includes('hostname') && lowerLine.includes('verif') && lowerLine.includes('false')) ||
+            (lowerLine.includes('setdefaulthostnameverifier') && lowerLine.includes('-> true')) ||
+            (lowerLine.includes('setdefaulthostnameverifier') &&
+                lines.slice(index, Math.min(index + 3, lines.length)).some(nextLine => nextLine.toLowerCase().includes('-> true')))) {
+            vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)({
+                category: 'Security Misconfiguration',
+                severity: 'HIGH',
+                confidence: 'MEDIUM',
+                message: 'Weak SSL/TLS configuration detected',
+                line: index + 1,
+                suggestion: 'Use secure SSL/TLS configurations with proper certificate validation',
+                owasp: 'A02:2025',
+                cwe: 'CWE-295',
+                pciDss: 'Requirement 4.1',
+                remediation: {
+                    explanation: 'Weak SSL configurations enable man-in-the-middle attacks',
+                    before: 'HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true)',
+                    after: 'HttpsURLConnection.setDefaultHostnameVerifier(new DefaultHostnameVerifier())'
+                },
+                attackVector: {
+                    description: 'Weak SSL/TLS enables interception and manipulation of encrypted communications',
+                    realWorldImpact: [
+                        'Man-in-the-middle attacks',
+                        'Certificate validation bypass',
+                        'Encrypted data interception',
+                        'Communication integrity compromise'
+                    ]
+                }
+            }));
+        }
+        // Check #6: Exposed management endpoints
+        if (lowerLine.includes('management.endpoints') ||
+            (lowerLine.includes('actuator') && lowerLine.includes('expose'))) {
+            vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)({
+                category: 'Security Misconfiguration',
+                severity: 'HIGH',
+                confidence: 'MEDIUM',
+                message: 'Spring Boot management endpoints may be exposed',
+                line: index + 1,
+                suggestion: 'Secure management endpoints with authentication and restrict access',
+                owasp: 'A02:2025',
+                cwe: 'CWE-200',
+                pciDss: 'Requirement 7.1',
+                remediation: {
+                    explanation: 'Exposed management endpoints reveal sensitive application internals',
+                    before: 'management.endpoints.web.exposure.include=*',
+                    after: 'management.endpoints.web.exposure.include=health,info'
+                },
+                attackVector: {
+                    description: 'Management endpoints expose application configuration and runtime information',
+                    realWorldImpact: [
+                        'Internal configuration exposure',
+                        'Environment variable disclosure',
+                        'Application metrics and health information',
+                        'Potential administrative access'
+                    ]
+                }
+            }));
+        }
+        // Check #7: Error details in exceptions
+        if (lowerLine.includes('printstacktrace()') ||
+            (lowerLine.includes('exception') && lowerLine.includes('getmessage') &&
+                lowerLine.includes('response'))) {
+            vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)({
+                category: 'Security Misconfiguration',
+                severity: 'MEDIUM',
+                confidence: 'MEDIUM',
+                message: 'Detailed error information may be exposed to users',
+                line: index + 1,
+                suggestion: 'Log detailed errors server-side, return generic error messages to users',
+                owasp: 'A02:2025',
+                cwe: 'CWE-209',
+                pciDss: 'Requirement 6.1',
+                remediation: {
+                    explanation: 'Detailed exception information reveals internal application structure',
+                    before: 'response.getWriter().println(e.getMessage());',
+                    after: 'logger.error("Error occurred", e);\nresponse.getWriter().println("Internal server error");'
+                },
+                attackVector: {
+                    description: 'Exception details can reveal file paths, database schemas, and application logic',
+                    realWorldImpact: [
+                        'Internal system information disclosure',
+                        'File path and directory structure exposure',
+                        'Database schema and query information',
+                        'Third-party library version fingerprinting'
+                    ]
+                }
+            }));
+        }
+        // Check #8: Insecure deserialization settings
+        if (lowerLine.includes('objectinputstream') && !lowerLine.includes('filter')) {
+            vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)({
+                category: 'Security Misconfiguration',
+                severity: 'HIGH',
+                confidence: 'MEDIUM',
+                message: 'Unfiltered object deserialization may allow arbitrary code execution',
+                line: index + 1,
+                suggestion: 'Implement deserialization filters to restrict allowed classes',
+                owasp: 'A02:2025',
+                cwe: 'CWE-502',
+                pciDss: 'Requirement 6.1',
+                remediation: {
+                    explanation: 'Unfiltered deserialization can lead to remote code execution',
+                    before: 'ObjectInputStream ois = new ObjectInputStream(inputStream);',
+                    after: 'ObjectInputStream ois = new ObjectInputStream(inputStream);\nois.setObjectInputFilter(ObjectInputFilter.rejectUndecidedClass);'
+                },
+                attackVector: {
+                    description: 'Malicious serialized objects can execute arbitrary code during deserialization',
+                    realWorldImpact: [
+                        'Remote code execution',
+                        'Complete server compromise',
+                        'Data theft and manipulation',
+                        'Denial of service attacks'
+                    ]
+                }
+            }));
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=security-misconfiguration.js.map

package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-misconfiguration.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/security-misconfiguration.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAqBH,sEA6TC;AA/UD,sEAA+E;AAE/E;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,6BAA6B,CAC3C,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,wDAAwD;QACxD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,+DAA+D;QAC/D,qFAAqF;QACrF,oGAAoG;QACpG,iDAAiD;QACjD,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,sDAAsD;QACtD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACzE,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YACjE,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACtC,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAAC;gBAC9B,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,kDAAkD;gBAC3D,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,8EAA8E;gBAC1F,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,QAAQ;gBACb,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,wEAAwE;oBACrF,MAAM,EAAE,mDAAmD;oBAC3D,KAAK,EAAE,uDAAuD;iBAC/D;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,6EAA6E;oBAC1F,eAAe,EAAE;wBACf,8CAA8C;wBAC9C,4CAA4C;wBAC5C,kCAAkC;wBAClC,mCAAmC;qBACpC;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,gDAAgD;QAChD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACtE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC5D,CAAC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACzE,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAAC;gBAC9B,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,QAAQ;gBACpB,OAAO,EAAE,wDAAwD;gBACjE,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,2DAA2D;gBACvE,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,uEAAuE;oBACpF,MAAM,EAAE,8BAA8B;oBACtC,KAAK,EAAE,2DAA2D;iBACnE;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,2EAA2E;oBACxF,eAAe,EAAE;wBACf,sCAAsC;wBACtC,gCAAgC;wBAChC,yBAAyB;wBACzB,0BAA0B;qBAC3B;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;YAC9B,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;YAClE,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC9B,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAC9D,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7E,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAAC;gBAC9B,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,UAAU;gBACpB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,qDAAqD;gBAC9D,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,+DAA+D;gBAC3E,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,8EAA8E;oBAC3F,MAAM,EAAE,4BAA4B;oBACpC,KAAK,EAAE,oDAAoD;iBAC5D;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,6DAA6D;oBAC1E,eAAe,EAAE;wBACf,iCAAiC;wBACjC,4BAA4B;wBAC5B,6BAA6B;wBAC7B,oCAAoC;qBACrC;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,gDAAgD;QAChD,kFAAkF;QAClF,kGAAkG;QAClG,wDAAwD;QACxD,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YACxC,MAAM,kBAAkB,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC3D,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE3F,qDAAqD;YACrD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YAC7D,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC3C,CAAC,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,6DAA6D,CAAC;gBACpF,CAAC,CAAC,KAAK,CAAC,wGAAwG,CAAC,CAClH,CAAC;YAEF,IAAI,kBAAkB,IAAI,iBAAiB,EAAE,CAAC;gBAC5C,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAAC;oBAC9B,QAAQ,EAAE,2BAA2B;oBACrC,QAAQ,EAAE,QAAQ;oBAClB,UAAU,EAAE,MAAM;oBAClB,OAAO,EAAE,yEAAyE;oBAClF,IAAI,EAAE,KAAK,GAAG,CAAC;oBACf,UAAU,EAAE,8DAA8D;oBAC1E,KAAK,EAAE,UAAU;oBACjB,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,iBAAiB;oBACzB,WAAW,EAAE;wBACX,WAAW,EAAE,iEAAiE;wBAC9E,MAAM,EAAE,+CAA+C;wBACvD,KAAK,EAAE,6FAA6F;qBACrG;oBACD,YAAY,EAAE;wBACZ,WAAW,EAAE,iEAAiE;wBAC9E,eAAe,EAAE;4BACf,0BAA0B;4BAC1B,uBAAuB;4BACvB,qBAAqB;4BACrB,iCAAiC;yBAClC;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,oFAAoF;QACpF,8FAA8F;QAC9F,kEAAkE;QAClE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC/D,CAAC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACxE,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC9F,CAAC,SAAS,CAAC,QAAQ,CAAC,4BAA4B,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YACnF,CAAC,SAAS,CAAC,QAAQ,CAAC,4BAA4B,CAAC;gBAChD,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACpE,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;YACpD,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAAC;gBAC9B,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,QAAQ;gBACpB,OAAO,EAAE,qCAAqC;gBAC9C,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,sEAAsE;gBAClF,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,0DAA0D;oBACvE,MAAM,EAAE,4EAA4E;oBACpF,KAAK,EAAE,8EAA8E;iBACtF;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,gFAAgF;oBAC7F,eAAe,EAAE;wBACf,2BAA2B;wBAC3B,+BAA+B;wBAC/B,6BAA6B;wBAC7B,oCAAoC;qBACrC;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,IAAI,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC;YAC1C,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAAC;gBAC9B,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,QAAQ;gBACpB,OAAO,EAAE,iDAAiD;gBAC1D,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,qEAAqE;gBACjF,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,qEAAqE;oBAClF,MAAM,EAAE,6CAA6C;oBACrD,KAAK,EAAE,uDAAuD;iBAC/D;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,+EAA+E;oBAC5F,eAAe,EAAE;wBACf,iCAAiC;wBACjC,iCAAiC;wBACjC,4CAA4C;wBAC5C,iCAAiC;qBAClC;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,IAAI,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC;YACvC,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;gBACnE,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YACrC,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAAC;gBAC9B,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,QAAQ;gBACpB,OAAO,EAAE,oDAAoD;gBAC7D,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,yEAAyE;gBACrF,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,uEAAuE;oBACpF,MAAM,EAAE,+CAA+C;oBACvD,KAAK,EAAE,4FAA4F;iBACpG;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,kFAAkF;oBAC/F,eAAe,EAAE;wBACf,wCAAwC;wBACxC,4CAA4C;wBAC5C,uCAAuC;wBACvC,4CAA4C;qBAC7C;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,8CAA8C;QAC9C,IAAI,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7E,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAAC;gBAC9B,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,QAAQ;gBACpB,OAAO,EAAE,sEAAsE;gBAC/E,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,+DAA+D;gBAC3E,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,8DAA8D;oBAC3E,MAAM,EAAE,6DAA6D;oBACrE,KAAK,EAAE,gIAAgI;iBACxI;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,gFAAgF;oBAC7F,eAAe,EAAE;wBACf,uBAAuB;wBACvB,4BAA4B;wBAC5B,6BAA6B;wBAC7B,2BAA2B;qBAC5B;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Unsafe Code Patterns Module
+ *
+ * Detects unsafe coding patterns in Java source code including:
+ * - Reflection without validation
+ * - Unhandled NullPointerException
+ * - Generic Exception catch blocks
+ *
+ * OWASP A04:2021 - Insecure Design
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Check for unsafe code patterns in Java code
+ * @param lines - Array of code lines to analyze
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkUnsafePatterns(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=unsafe-patterns.d.ts.map

package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unsafe-patterns.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/unsafe-patterns.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,qBAAqB,EAAE,CAqI5E"}

package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js

@@ -0,0 +1,114 @@
+"use strict";
+/**
+ * Unsafe Code Patterns Module
+ *
+ * Detects unsafe coding patterns in Java source code including:
+ * - Reflection without validation
+ * - Unhandled NullPointerException
+ * - Generic Exception catch blocks
+ *
+ * OWASP A04:2021 - Insecure Design
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkUnsafePatterns = checkUnsafePatterns;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Check for unsafe code patterns in Java code
+ * @param lines - Array of code lines to analyze
+ * @returns Array of security vulnerabilities found
+ */
+function checkUnsafePatterns(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const trimmed = line.trim();
+        const lineNumber = index + 1;
+        // CRITICAL: Track multi-line comment blocks (/* ... */)
+        if (trimmed.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmed.includes('*/')) {
+            inMultiLineComment = false;
+            return; // Skip the line with */
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        // FIX (Dec 6, 2025): Added proper multi-line comment tracking
+        if (!trimmed ||
+            inMultiLineComment ||
+            trimmed.startsWith('//')) {
+            return;
+        }
+        // 13. Reflection without validation - HIGH
+        // FIX (Dec 6, 2025): Added whitelist context checking (same as enhanced-supply-chain.ts)
+        // FIX (Dec 9, 2025): Exclude safe API patterns (DocumentBuilderFactory, standard library)
+        if (trimmed.match(/Class\s*\.\s*forName\s*\(/) || trimmed.match(/\.newInstance\s*\(/)) {
+            // Skip safe patterns: Standard Java APIs using reflection internally
+            const safeApiPatterns = [
+                'DocumentBuilderFactory.class.getMethod',
+                'SAXParserFactory.class.getMethod',
+                'TransformerFactory.class.getMethod',
+                'XPathFactory.class.getMethod',
+                'Class.forName("java.', // Standard library classes
+                'Class.forName("javax.', // Java extension classes
+                '.getClass().getMethod("get', // Getter method reflection
+                '.getClass().getMethod("set', // Setter method reflection
+            ];
+            const isSafeApiPattern = safeApiPatterns.some(pattern => trimmed.includes(pattern));
+            if (isSafeApiPattern) {
+                return; // Skip safe Java API patterns
+            }
+            const hasSameLineValidation = trimmed.toLowerCase().includes('validate') ||
+                trimmed.toLowerCase().includes('whitelist') ||
+                trimmed.toLowerCase().includes('allowlist');
+            // Check previous 10 lines for whitelist context
+            const prevLines = lines.slice(Math.max(0, index - 10), index);
+            const hasWhitelistContext = prevLines.some(l => {
+                const lowerPrev = l.toLowerCase();
+                return (lowerPrev.includes('whitelist') || lowerPrev.includes('allowlist') ||
+                    lowerPrev.includes('allowed') || lowerPrev.includes('safe')) &&
+                    (lowerPrev.includes('set.of') || lowerPrev.includes('arrays.aslist') ||
+                        lowerPrev.includes('list.of'));
+            });
+            // Check if there's a .contains() validation before Class.forName
+            const hasContainsCheck = prevLines.some(l => l.toLowerCase().includes('.contains(') && l.includes('if'));
+            if (!hasSameLineValidation && !hasWhitelistContext && !hasContainsCheck) {
+                vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('unsafe-reflection', 'Unsafe reflection with potential user input detected', 'Validate class names against a strict whitelist before using reflection', lineNumber, 'Java reflection allows instantiating arbitrary classes and calling their methods at runtime. If an attacker can control the class name, they can instantiate dangerous classes (like ProcessBuilder, Runtime, ClassLoader) to execute arbitrary code, access sensitive data, or bypass security restrictions.', 'Class.forName(userInput).newInstance() where userInput = "java.lang.Runtime" can execute commands via Runtime.getRuntime().exec()', [
+                    'Remote Code Execution',
+                    'Arbitrary class instantiation',
+                    'Security manager bypass',
+                    'Access to private APIs',
+                    'Privilege escalation'
+                ], 'String className = request.getParameter("class");\nClass<?> clazz = Class.forName(className); // Dangerous\nObject instance = clazz.newInstance();', 'String className = request.getParameter("class");\n// Whitelist validation\nSet<String> allowedClasses = Set.of("com.app.SafeClass1", "com.app.SafeClass2");\nif (!allowedClasses.contains(className)) {\n  throw new SecurityException("Class not allowed");\n}\nClass<?> clazz = Class.forName(className);\nObject instance = clazz.newInstance();', 'Always validate class names against a strict whitelist of allowed classes. Never use user input directly in Class.forName() or newInstance() calls'));
+            }
+        }
+        // 14. Unhandled NullPointerException - MEDIUM
+        // FIX (Dec 6, 2025): Removed old comment checks - now handled by inMultiLineComment tracking
+        // FIX (Dec 11, 2025): Skip method calls on 'new' expressions - constructors return non-null objects
+        // Example: new BigInteger(130, random).toString(32) is safe, toString() cannot be called on null
+        if (trimmed.match(/\.\w+\s*\(/) && !trimmed.includes('if') && !trimmed.includes('Optional') &&
+            !trimmed.includes('Objects.requireNonNull') && !trimmed.includes('new ')) {
+            const prevLines = lines.slice(Math.max(0, index - 2), index);
+            const hasNullCheck = prevLines.some(l => l.includes('!= null') || l.includes('== null'));
+            if (!hasNullCheck && Math.random() < 0.1) { // Sample 10% to avoid too many warnings
+                vulnerabilities.push({
+                    severity: 'low',
+                    message: 'Possible NullPointerException without null check',
+                    suggestion: 'Use Optional<T>, Objects.requireNonNull(), or null check: if (obj != null)',
+                    line: lineNumber
+                });
+            }
+        }
+        // 18. Generic Exception catch - LOW
+        if (trimmed.match(/catch\s*\(\s*Exception\s+\w+\s*\)/)) {
+            vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('generic-exception-catch', 'Generic Exception catch detected - hides specific errors', 'Catch specific exceptions: catch (IOException | SQLException e)', lineNumber, 'Catching generic Exception masks different error conditions and makes it impossible to handle them appropriately. Security-critical exceptions (like authentication failures, access denials) may be handled the same way as benign errors, leading to bypasses. It also catches RuntimeExceptions that may indicate programming errors.', 'catch (Exception e) { return "success"; } // Catches SecurityException, swallowing access denial', [
+                'Security exception bypasses',
+                'Error condition masking',
+                'Difficult debugging',
+                'Improper error handling',
+                'Business logic violations'
+            ], 'try {\n  authenticateUser();\n  accessResource();\n} catch (Exception e) { // Too broad\n  logger.error("Error", e);\n  return "success"; // Wrong!\n}', 'try {\n  authenticateUser();\n  accessResource();\n} catch (AuthenticationException e) {\n  logger.warn("Auth failed", e);\n  return "unauthorized";\n} catch (AccessDeniedException e) {\n  logger.warn("Access denied", e);\n  return "forbidden";\n} catch (IOException e) {\n  logger.error("IO error", e);\n  return "error";\n}', 'Catch specific exceptions to handle each error condition appropriately. Security exceptions should be logged and handled differently from operational errors. Use multi-catch for similar exceptions'));
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=unsafe-patterns.js.map

package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unsafe-patterns.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/unsafe-patterns.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAUH,kDAqIC;AA5ID,sEAA+E;AAE/E;;;;GAIG;AACH,SAAgB,mBAAmB,CAAC,KAAe;IACjD,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAE7B,wDAAwD;QACxD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,8DAA8D;QAC9D,IAAI,CAAC,OAAO;YACR,kBAAkB;YAClB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,2CAA2C;QAC3C,yFAAyF;QACzF,0FAA0F;QAC1F,IAAI,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC;YACtF,qEAAqE;YACrE,MAAM,eAAe,GAAG;gBACtB,wCAAwC;gBACxC,kCAAkC;gBAClC,oCAAoC;gBACpC,8BAA8B;gBAC9B,sBAAsB,EAAY,2BAA2B;gBAC7D,uBAAuB,EAAW,yBAAyB;gBAC3D,4BAA4B,EAAM,2BAA2B;gBAC7D,4BAA4B,EAAM,2BAA2B;aAC9D,CAAC;YAEF,MAAM,gBAAgB,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACtD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC1B,CAAC;YAEF,IAAI,gBAAgB,EAAE,CAAC;gBACrB,OAAO,CAAC,8BAA8B;YACxC,CAAC;YAED,MAAM,qBAAqB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;gBACxC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC3C,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAE5E,gDAAgD;YAChD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;YAC9D,MAAM,mBAAmB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC7C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAClE,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;oBAC7D,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;wBACnE,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;YACzC,CAAC,CAAC,CAAC;YAEH,iEAAiE;YACjE,MAAM,gBAAgB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC1C,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAC3D,CAAC;YAEF,IAAI,CAAC,qBAAqB,IAAI,CAAC,mBAAmB,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACxE,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,mBAAmB,EACnB,sDAAsD,EACtD,yEAAyE,EACzE,UAAU,EACV,+SAA+S,EAC/S,mIAAmI,EACnI;oBACE,uBAAuB;oBACvB,+BAA+B;oBAC/B,yBAAyB;oBACzB,wBAAwB;oBACxB,sBAAsB;iBACvB,EACD,oJAAoJ,EACpJ,sVAAsV,EACtV,oJAAoJ,CACrJ,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,6FAA6F;QAC7F,oGAAoG;QACpG,iGAAiG;QACjG,IAAI,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;YACvF,CAAC,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7E,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YAC7D,MAAM,YAAY,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;YAEzF,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,EAAE,CAAC,CAAC,wCAAwC;gBAClF,eAAe,CAAC,IAAI,CAAC;oBACnB,QAAQ,EAAE,KAAK;oBACf,OAAO,EAAE,kDAAkD;oBAC3D,UAAU,EAAE,4EAA4E;oBACxF,IAAI,EAAE,UAAU;iBACjB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,oCAAoC;QACpC,IAAI,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,EAAE,CAAC;YACvD,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,yBAAyB,EACzB,0DAA0D,EAC1D,iEAAiE,EACjE,UAAU,EACV,0UAA0U,EAC1U,kGAAkG,EAClG;gBACE,6BAA6B;gBAC7B,yBAAyB;gBACzB,qBAAqB;gBACrB,yBAAyB;gBACzB,2BAA2B;aAC5B,EACD,wJAAwJ,EACxJ,uUAAuU,EACvU,sMAAsM,CACvM,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}